Login routing throttle attempts incorrect if middleware already declared

[mirkopeloso]

• Laravel Version: 6.5.0
• PHP Version: 7.3.1
• Database Driver & Version: MySQL 5.8

Description:

I've created a simple JWT login procedure with Passport, everything works fine.
I have a login route, as extracted from 'php artisan route:list'

POST | api/v1/login | api.user.login | Modules\Core\Http\Controllers\Api\V1\Auth\RestAuthController@login | api,throttle:10,1

configured with throttling of 10 attempts in 1 minute.

In my Kernel.php there is:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],

    'api' => [
        'throttle:60,1',
        'bindings',
        'accept.json'
    ],
];

In a feature login test, i was trying to reproduce the throttling exception with a simple index from 0 to 9. According to logic, at the 9th loop, the exception must change into TooManyRequestsException.
But starting the test, the exception is thrown at the 5th loop:

[2020-02-19 14:33:34] local.INFO: Trying bad password login to throttle for retry attempt # 5
[2020-02-19 14:33:34] local.ERROR: ----------------------------------------------> Exception : Illuminate\Http\Exceptions\ThrottleRequestsException: Too Many Attempts. in /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php:125
Stack trace:
#0 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(54): Illuminate\Routing\Middleware\ThrottleRequests->buildException('5c785c036466ade...', 10)
#1 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Routing\Middleware\ThrottleRequests->handle(Object(Illuminate\Http\Request), Object(Closure), 10, '1')
#2 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(59): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#3 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Routing\Middleware\ThrottleRequests->handle(Object(Illuminate\Http\Request), Object(Closure), 60, '1')
#4 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(105): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#5 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(683): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#6 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(658): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request))
#7 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(624): Illuminate\Routing\Router->runRoute(Object(Illuminate\Http\Request), Object(Illuminate\Routing\Route))
#8 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(613): Illuminate\Routing\Router->dispatchToRoute(Object(Illuminate\Http\Request))
#9 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(170): Illuminate\Routing\Router->dispatch(Object(Illuminate\Http\Request))
#10 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(130): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http{closure}(Object(Illuminate\Http\Request))
#11 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#12 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle(Object(Illuminate\Http\Request), Object(Closure))
#13 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#14 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle(Object(Illuminate\Http\Request), Object(Closure))
#15 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#16 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle(Object(Illuminate\Http\Request), Object(Closure))
#17 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php(63): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#18 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure))
#19 /data/drive/develop/php/laravel-WSMOD/vendor/fideloper/proxy/src/TrustProxies.php(57): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#20 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Fideloper\Proxy\TrustProxies->handle(Object(Illuminate\Http\Request), Object(Closure))
#21 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(105): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#22 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(145): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#23 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(110): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))
#24 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Testing/Concerns/MakesHttpRequests.php(468): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))
#25 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Testing/Concerns/MakesHttpRequests.php(440): Illuminate\Foundation\Testing\TestCase->call('POST', '/api/v1/login', Array, Array, Array, Array, '{"email":"dio@c...')
#26 /data/drive/develop/php/laravel-WSMOD/Modules/Core/Tests/Feature/Http/Controllers/Api/V1/Auth/ApiAuthTest.php(159): Illuminate\Foundation\Testing\TestCase->json('POST', '/api/v1/login', Array, Array)
#27 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestCase.php(1408): Modules\Core\Tests\Feature\Http\Controllers\Api\V1\Auth\ApiAuthTest->testThrottledUserTest()
#28 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestCase.php(1028): PHPUnit\Framework\TestCase->runTest()
#29 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestResult.php(691): PHPUnit\Framework\TestCase->runBare()
#30 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestCase.php(756): PHPUnit\Framework\TestResult->run(Object(Modules\Core\Tests\Feature\Http\Controllers\Api\V1\Auth\ApiAuthTest))
#31 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestSuite.php(597): PHPUnit\Framework\TestCase->run(Object(PHPUnit\Framework\TestResult))
#32 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/TextUI/TestRunner.php(621): PHPUnit\Framework\TestSuite->run(Object(PHPUnit\Framework\TestResult))
#33 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/TextUI/Command.php(200): PHPUnit\TextUI\TestRunner->doRun(Object(PHPUnit\Framework\TestSuite), Array, true)
#34 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/TextUI/Command.php(159): PHPUnit\TextUI\Command->run(Array, true)
#35 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/phpunit(61): PHPUnit\TextUI\Command::main()
#36 {main}

Seems like that the attempts of login route are added up to the "throttle:60,1" defined in Kernel so each time I try to login the real attempts become halved (=5) because each login is cached as 2 attempts.
The correct logic expected is:

• the throttle of 60,1 must be valid for all routes
• if there are more tight rules ( like 10,1), for that route the rule must override the largest one

Steps To Reproduce:

[driesvints]

Hey there,

Can you first please try one of the support channels below? If you can actually identify this as a bug, feel free to report back and I'll gladly help you out and re-open this issue.

• Laracasts Forums
• Laravel.io Forums
• StackOverflow
• Discord
• Larachat
• IRC

Thanks!