fix: align PHP requirement and implement rate limiting

- Update composer.json to require PHP ^8.3 (required by grazulex/laravel-apiroute ^1.2) - Add rate limiting to routes using laravel-apiroute's rateLimit() and Laravel's throttle middleware - Public routes (login/register): throttle:auth (5/min for brute force protection) - Protected routes: throttle:authenticated (120/min) - Global version rate limit: 60 req/min via ->rateLimit(60) - Remove unused import in routes/web.php (fixes Pint style issue) - Update composer.lock with synchronized dependencies
2025-12-30 15:33:20 +01:00
parent ae8d4bd432
commit 06ee9a5016
4 changed files with 13 additions and 11 deletions
--- a/composer.json
+++ b/composer.json
@@ -6,7 +6,7 @@
    "keywords": ["laravel", "api", "rest", "starter-kit", "sanctum"],
    "license": "MIT",
    "require": {
-        "php": "^8.2",
+        "php": "^8.3",
        "dedoc/scramble": "^0.12",
        "grazulex/laravel-apiroute": "^1.2",
        "laravel/framework": "^12.0",
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "4b69ad7f7f6df7f731ce0d46d9332a05",
+    "content-hash": "e6f1d7122781eed56575ee487696ba47",
    "packages": [
        {
            "name": "brick/math",
@@ -9838,7 +9838,7 @@
    "prefer-stable": true,
    "prefer-lowest": false,
    "platform": {
-        "php": "^8.2"
+        "php": "^8.3"
    },
    "platform-dev": {},
    "plugin-api-version": "2.9.0"
--- a/routes/api.php
+++ b/routes/api.php
@@ -17,13 +17,17 @@ use Illuminate\Support\Facades\Route;

 // Version 1 - Current stable version
 ApiRoute::version('v1', function () {
-    // Public routes
-    Route::post('register', [AuthController::class, 'register'])->name('api.v1.register');
-    Route::post('login', [AuthController::class, 'login'])->name('api.v1.login');
+    // Public routes with auth rate limiter (5/min - brute force protection)
+    Route::middleware('throttle:auth')->group(function () {
+        Route::post('register', [AuthController::class, 'register'])->name('api.v1.register');
+        Route::post('login', [AuthController::class, 'login'])->name('api.v1.login');
+    });

-    // Protected routes
-    Route::middleware('auth:sanctum')->group(function () {
+    // Protected routes with authenticated rate limiter (120/min)
+    Route::middleware(['auth:sanctum', 'throttle:authenticated'])->group(function () {
        Route::post('logout', [AuthController::class, 'logout'])->name('api.v1.logout');
        Route::get('me', [AuthController::class, 'me'])->name('api.v1.me');
    });
-})->current();
+})
+    ->current()
+    ->rateLimit(60); // Global rate limit: 60 requests/minute for v1
--- a/routes/web.php
+++ b/routes/web.php
@@ -1,6 +1,4 @@
 <?php

-use Illuminate\Support\Facades\Route;
-
 // Web routes disabled - API only application
 // Scramble documentation available at /docs/api