laravel5.5 login(POST)没有使用middleware throttle却实现了限定访问次数的原理 && 安全改造

场景

• laravel5.5中没有使用middleware throttle 但是却可以实现限制访问次数, 那么他是怎么实现的呢?
  

源码分析

• $this->hasTooManyLoginAttempts($request)
  • 判断是否已经超过了限制
  • $this->limiter()->tooManyAttempts 方法和laavel5.5 throttle middleware源码解析 博文中的tooManyAttempts的实现方式是一样的,
  • $this->throttleKey($request)
    • 唯一键是email && ip的组合体Str::lower( $request->input($this->username())).’|’.$request->ip();`
• $this->incrementLoginAttempts($request);
  • 内部调用hit方法, 实现create计时器 计数器 or increment 计数器的功能

安全改造(签名IP+Emmail => IP)

• laravel5.5对login生成的唯一键是 email . '|' . ip ; 如果某人有一大批用户名 && 密码; 则只要保证一种分钟内尝试登陆的用户名不同，就可以暴力破解密码了;
  • 引入自定义配置文件 config/custom.php; 方便随时切换签名
    • return [‘throttle_key’ => ‘ip’,]
  • App\Http\Controllers\Auth\LoginController 重写throttleKey

改造过的throttleKey

    /**
     * Get the throttle key for the given request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return string
     */
    protected function throttleKey(Request $request)
    {
        if (config('custom.throttle_key') === 'ip') {
            return $request->ip();
        }

        return Str::lower($request->input($this->username())).'|'.$request->ip();
    }

源码

   /**
     *  重写login方法 让他在出错的时候报错
     * Handle a login request to the application.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response|\Illuminate\Http\JsonResponse
     */
    public function login(Request $request)
    {
        $this->validateLogin($request);

        // If the class is using the ThrottlesLogins trait, we can automatically throttle
        // the login attempts for this application. We'll key this by the username and
        // the IP address of the client making these requests into this application.
        if ($this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        if ($this->attemptLogin($request)) {
            flash('欢迎回来!')->success();
            return $this->sendLoginResponse($request);
        }

        // If the login attempt was unsuccessful we will increment the number of attempts
        // to login and redirect the user back to the login form. Of course, when this
        // user surpasses their maximum number of attempts they will get locked out.
        $this->incrementLoginAttempts($request);

        return $this->sendFailedLoginResponse($request);
    }

    /**
     * Determine if the user has too many failed login attempts.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return bool
     */
    protected function hasTooManyLoginAttempts(Request $request)
    {
        return $this->limiter()->tooManyAttempts(
            $this->throttleKey($request), $this->maxAttempts(), $this->decayMinutes()
        );
    }
    /**
     * Get the throttle key for the given request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return string
     */
    protected function throttleKey(Request $request)
    {
        return Str::lower($request->input($this->username())).'|'.$request->ip();
    }
    /**
     * Get the maximum number of attempts to allow.
     *
     * @return int
     */
    public function maxAttempts()
    {
        return property_exists($this, 'maxAttempts') ? $this->maxAttempts : 5;
    }

    /**
     * Get the number of minutes to throttle for.
     *
     * @return int
     */
    public function decayMinutes()
    {
        return property_exists($this, 'decayMinutes') ? $this->decayMinutes : 1;
    }

    /**
     * Increment the login attempts for the user.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return void
     */
    protected function incrementLoginAttempts(Request $request)
    {
        $this->limiter()->hit(
            $this->throttleKey($request), $this->decayMinutes()
        );
    }