在laravel 6中,密码代理现在具有以下限制密码重置(https://github.com/laravel/framework/blob/6.x/src/Illuminate/Auth/Passwords/PasswordBroker.php#L58)
public function sendResetLink(array $credentials)
{
// First we will check to see if we found a user at the given credentials and
// if we did not we will redirect back to this current URI with a piece of
// "flash" data in the session to indicate to the developers the errors.
$user = $this->getUser($credentials);
if (is_null($user)) {
return static::INVALID_USER;
}
if (method_exists($this->tokens, 'recentlyCreatedToken') &&
$this->tokens->recentlyCreatedToken($user)) {
return static::RESET_THROTTLED;
}
// Once we have the reset token, we are ready to send the message out to this
// user with a link to reset their password. We will then redirect back to
// the current URI having nothing set in the session to indicate errors.
$user->sendPasswordResetNotification(
$this->tokens->create($user)
);
return static::RESET_LINK_SENT;
}
但是,当我反复提交密码重设时,为什么密码重设没有受到限制-我仍然收到重设通知吗?
我注意到recentlyCreatedToken方法在6.x https://github.com/laravel/framework/blob/6.x/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php版的TokenRepositoryInterface中不存在
但是已在7.x版中添加
这仅仅是v7.x的功能还是我需要做的一些我想念的事情?
答案 0 :(得分:6)
密码重置限制在Laravel 6.x中有效,但是由于某些原因,您需要在配置文件throttle中手动设置config/auth.php参数:
'passwords' => [
'users' => [
'provider' => 'users',
'table' => 'password_resets',
'expire' => 60,
'throttle' => 60, // Allows a user to request 1 token per 60 seconds
],
],
DatabaseTokenRepository将油门时间的默认值定义为60秒。但是,当在PasswordBrokerManager中初始化DatabaseTokenRepository时,它将检查配置文件,如果未找到任何值,则将油门时间设置为0(意味着禁用油门)。
还需要将消息字符串添加到resources/lang/en/passwords.php中,以向用户显示一条可以理解的错误消息:
'throttled' => 'You have requested password reset recently, please check your email.',
P。 S.不要忘记用php artisan config:clear编辑配置文件后刷新配置缓存。