laravel
Changes in RateLimiter::remaining altered behaviour for negative values of $maxAttempts parameter
Laravel Version
12.41.1
PHP Version
8.2.28
Database Driver & Version
No response
Description
https://github.com/laravel/framework/pull/57851 introduced changes to prevent strange behaviour when $attempts > $maxAttempts
However, this also changed the behaviour for cases where $maxAttempts is negative.
While it has no use calling the function directly with a negative parameter, it could be used by applying a configuration option such as:
RateLimiter::remaining('someKey', config('maxLoginAttempts'));
For these cases, an IT administrator would probably expect the option to be disabled if set to -1 (allow infinite attempts) which was working until now. The linked PR changed the behaviour so that -1 blocks any attempts.
In case disabling by setting a negative parameter is not wanted, this ticket would be a non-issue. There clearly are valid arguments to not support it, as it could just be handled outside of the function.
A possible fix to re-allow disabling the limiting via -1 would be:
public function remaining($key, $maxAttempts)
{
$key = $this->cleanRateLimiterKey($key);
$attempts = $this->attempts($key);
return $maxAttempts >= 0
? max(0, $maxAttempts - $attempts)
: -1;
}
This would preserve the changes of https://github.com/laravel/framework/pull/57851 while returning to previous behaviour for negative $maxAttempts.
If this approach is desired, I am happy to create a pull request.
Steps To Reproduce
call
! Illuminate\Support\Facades\RateLimiter::remaining('someKey', -1)
- before the change this returned false
- after the change it returns true
