diff --git a/app/Config/auth.php b/app/Config/auth.php
index 404b5352d..23b9039b9 100644
--- a/app/Config/auth.php
+++ b/app/Config/auth.php
@@ -70,6 +70,7 @@ return [
'email' => 'emails.password',
'table' => 'password_resets',
'expire' => 60,
+ 'throttle' => 60,
],
],
diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php
index 3df0608f8..8eaee08a2 100644
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -56,7 +56,7 @@ class ForgotPasswordController extends Controller
$this->logActivity(ActivityType::AUTH_PASSWORD_RESET, $request->get('email'));
}
- if ($response === Password::RESET_LINK_SENT || $response === Password::INVALID_USER) {
+ if (in_array($response, [Password::RESET_LINK_SENT, Password::INVALID_USER, Password::RESET_THROTTLED])) {
$message = trans('auth.reset_password_sent', ['email' => $request->get('email')]);
$this->showSuccessNotification($message);
diff --git a/tests/Auth/AuthTest.php b/tests/Auth/AuthTest.php
index d037b5701..f19011c46 100644
--- a/tests/Auth/AuthTest.php
+++ b/tests/Auth/AuthTest.php
@@ -282,6 +282,22 @@ class AuthTest extends TestCase
->assertElementContains('a', 'Sign up');
}
+ public function test_reset_password_request_is_throttled()
+ {
+ $editor = $this->getEditor();
+ Notification::fake();
+ $this->get('/password/email');
+ $this->followingRedirects()->post('/password/email', [
+ 'email' => $editor->email,
+ ]);
+
+ $resp = $this->followingRedirects()->post('/password/email', [
+ 'email' => $editor->email,
+ ]);
+ Notification::assertTimesSent(1, ResetPassword::class);
+ $resp->assertSee('A password reset link will be sent to ' . $editor->email . ' if that email address is found in the system.');
+ }
+
public function test_login_redirects_to_initially_requested_url_correctly()
{
config()->set('app.url', 'http://localhost');