06ee9a5016
- Update composer.json to require PHP ^8.3 (required by grazulex/laravel-apiroute ^1.2) - Add rate limiting to routes using laravel-apiroute's rateLimit() and Laravel's throttle middleware - Public routes (login/register): throttle:auth (5/min for brute force protection) - Protected routes: throttle:authenticated (120/min) - Global version rate limit: 60 req/min via ->rateLimit(60) - Remove unused import in routes/web.php (fixes Pint style issue) - Update composer.lock with synchronized dependencies
34 lines
1.3 KiB
PHP
34 lines
1.3 KiB
PHP
<?php
|
|
|
|
use App\Http\Controllers\Api\V1\AuthController;
|
|
use Grazulex\ApiRoute\Facades\ApiRoute;
|
|
use Illuminate\Support\Facades\Route;
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| API Routes
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| API routes are versioned using grazulex/laravel-apiroute.
|
|
| Supports URI path, header, query, and Accept header detection.
|
|
| See config/apiroute.php for configuration options.
|
|
|
|
|
*/
|
|
|
|
// Version 1 - Current stable version
|
|
ApiRoute::version('v1', function () {
|
|
// Public routes with auth rate limiter (5/min - brute force protection)
|
|
Route::middleware('throttle:auth')->group(function () {
|
|
Route::post('register', [AuthController::class, 'register'])->name('api.v1.register');
|
|
Route::post('login', [AuthController::class, 'login'])->name('api.v1.login');
|
|
});
|
|
|
|
// Protected routes with authenticated rate limiter (120/min)
|
|
Route::middleware(['auth:sanctum', 'throttle:authenticated'])->group(function () {
|
|
Route::post('logout', [AuthController::class, 'logout'])->name('api.v1.logout');
|
|
Route::get('me', [AuthController::class, 'me'])->name('api.v1.me');
|
|
});
|
|
})
|
|
->current()
|
|
->rateLimit(60); // Global rate limit: 60 requests/minute for v1
|