From c9838a37be635bea742ef65a6e1257e440a460c1 Mon Sep 17 00:00:00 2001
From: Stephen Rees-Carter <stephen@rees-carter.net>
Date: Sat, 5 Jul 2025 13:45:55 +1000
Subject: [PATCH] Add throttle to authed password routes

---
 routes/auth.php     | 3 ++-
 routes/settings.php | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/routes/auth.php b/routes/auth.php
index 7862ed46c..1351b3fb0 100644
--- a/routes/auth.php
+++ b/routes/auth.php
@@ -49,7 +49,8 @@
     Route::get('confirm-password', [ConfirmablePasswordController::class, 'show'])
         ->name('password.confirm');
 
-    Route::post('confirm-password', [ConfirmablePasswordController::class, 'store']);
+    Route::post('confirm-password', [ConfirmablePasswordController::class, 'store'])
+        ->middleware('throttle:6,1');
 
     Route::post('logout', [AuthenticatedSessionController::class, 'destroy'])
         ->name('logout');
diff --git a/routes/settings.php b/routes/settings.php
index 95031371c..6ca93bf57 100644
--- a/routes/settings.php
+++ b/routes/settings.php
@@ -13,7 +13,9 @@
     Route::delete('settings/profile', [ProfileController::class, 'destroy'])->name('profile.destroy');
 
     Route::get('settings/password', [PasswordController::class, 'edit'])->name('password.edit');
-    Route::put('settings/password', [PasswordController::class, 'update'])->name('password.update');
+    Route::put('settings/password', [PasswordController::class, 'update'])
+        ->middleware('throttle:6,1')
+        ->name('password.update');
 
     Route::get('settings/appearance', function () {
         return Inertia::render('settings/appearance');