在用户身份验证的情况下,Laravel 具有内置的身份验证系统。我们可以根据要求轻松修改它。身份验证中包含的功能之一是Throttling.

为什么我们需要throttling保护?

基本上,throttling是用来保护暴力攻击的。它将在一定时间内检查登录尝试。在短登录中,throttling会计算用户或机器人尝试失败的登录尝试次数。

使用自定义登录实现限制

默认情况下,在内置身份验证控制器中实现限制。但是,如果我们需要实现它到自定义登录呢?

实现自定义登录限制非常容易。首先,我们必须将ThrottlesLogins trait包含到您的控制器中。

use Illuminate\Foundation\Auth\ThrottlesLogins;

现在,将此ThrottlesLogins trait 加到控制器中。

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Foundation\Auth\ThrottlesLogins;

class AuthController extends Controller
{
    use ThrottlesLogins;

    ......

现在转到用于对用户进行身份验证的方法。在我的例子中,我使用了 login() POST 方法。并粘贴以下代码:

public function login(Request $request)
{
    // Authenticate Inputs
    $request->validate([
        'username' => 'required', 
        'password' => 'required|min:6|max:18'
    ]);


    // If the class is using the ThrottlesLogins trait, we can automatically throttle
    // the login attempts for this application. We'll key this by the username and
    // the IP address of the client making these requests into this application.
    if (method_exists($this, 'hasTooManyLoginAttempts') &&
        $this->hasTooManyLoginAttempts($request)) {
        $this->fireLockoutEvent($request);

        return $this->sendLockoutResponse($request);
    }
  
    .......

首先,我们验证了用户提交的输入,然后实现了hasTooManyLoginAttempts() 方法。此方法将检查用户在某个时间是否执行过一定数量的失败尝试,然后系统将通过sendLockoutResponse()  方法阻止该用户。

现在,我们必须通过incrementLoginAttempts()方法指示对ThrottlesLogins trait的失败登录尝试。

if( Auth::attempt(['username' => $username, 'password' => $password]) ){
    // Redirect to appropriate dashboard 
}
else {

    // If the login attempt was unsuccessful we will increment the number of attempts
    // to login and redirect the user back to the login form. Of course, when this
    // user surpasses their maximum number of attempts they will get locked out.
    $this->incrementLoginAttempts($request);

    return redirect()->back()
        ->withInput($request->all())
        ->withErrors(['error' => 'Please check your username / password.']);
}

您还可以通过$maxAttempts和$decayMinutes属性更改允许的最大尝试次数限制的分钟数。在这里,您可以找到完整的代码。

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Foundation\Auth\ThrottlesLogins;

class AuthController extends Controller
{
    use ThrottlesLogins;


    /**
     * The maximum number of attempts to allow.
     *
     * @return int
     */
    protected $maxAttempts = 5;


    /**
     * The number of minutes to throttle for.
     *
     * @return int
     */
    protected $decayMinutes = 1;


    public function login(Request $request)
    {
        // Authenticate Inputs
        $request->validate([
            'username' => 'required', 
            'password' => 'required|min:6|max:18'
        ]);


        // If the class is using the ThrottlesLogins trait, we can automatically throttle
        // the login attempts for this application. We'll key this by the username and
        // the IP address of the client making these requests into this application.
        if (method_exists($this, 'hasTooManyLoginAttempts') &&
            $this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);

            return $this->sendLockoutResponse($request);
        }

        $username = $request->username;
        $password = $request->password;

        
        if( Auth::attempt(['username' => $username, 'password' => $password]) ){
            // Redirect to appropriate dashboard 
        }
        else {

            // If the login attempt was unsuccessful we will increment the number of attempts
            // to login and redirect the user back to the login form. Of course, when this
            // user surpasses their maximum number of attempts they will get locked out.
            $this->incrementLoginAttempts($request);

            return redirect()->back()
                ->withInput($request->all())
                ->withErrors(['error' => 'Please check your username / password.']);
        }
    }
}
Related Posts:

 

Laravel 登录失败次数限制
标签: