Added throttling to password reset requests

Author: ssddanbrown

app/Config/auth.php

@@ -70,6 +70,7 @@
             'email'    => 'emails.password',
             'table'    => 'password_resets',
             'expire'   => 60,
+            'throttle' => 60,
         ],
     ],
 

app/Http/Controllers/Auth/ForgotPasswordController.php

@@ -56,7 +56,7 @@ public function sendResetLinkEmail(Request $request)
             $this->logActivity(ActivityType::AUTH_PASSWORD_RESET, $request->get('email'));
         }
 
-        if ($response === Password::RESET_LINK_SENT || $response === Password::INVALID_USER) {
+        if (in_array($response, [Password::RESET_LINK_SENT, Password::INVALID_USER, Password::RESET_THROTTLED])) {
             $message = trans('auth.reset_password_sent', ['email' => $request->get('email')]);
             $this->showSuccessNotification($message);
 

tests/Auth/AuthTest.php

@@ -282,6 +282,22 @@ public function test_reset_password_page_shows_sign_links()
             ->assertElementContains('a', 'Sign up');
     }
 
+    public function test_reset_password_request_is_throttled()
+    {
+        $editor = $this->getEditor();
+        Notification::fake();
+        $this->get('/password/email');
+        $this->followingRedirects()->post('/password/email', [
+            'email' => $editor->email,
+        ]);
+
+        $resp = $this->followingRedirects()->post('/password/email', [
+            'email' => $editor->email,
+        ]);
+        Notification::assertTimesSent(1, ResetPassword::class);
+        $resp->assertSee('A password reset link will be sent to ' . $editor->email . ' if that email address is found in the system.');
+    }
+
     public function test_login_redirects_to_initially_requested_url_correctly()
     {
         config()->set('app.url', 'http://localhost');