After a few days of struggling I have found a few-lines long solution to the problem of how to show ReCaptcha after a few hits on the endpoint. Requiring a ReCaptcha after a few successive hits in a short amount of time greatly reduces this attack vector.

The above assumes that you already have your own MyReCaptchaMiddleware up and running, we won't go into details of it here.

But since we rather use the provided $maxAttempts and $decayMinutes middleware parameters of the throttle middleware only for their intended purpose, we can safely omit that block.

It's the latter I am using to determine when to display the ReCaptcha on the front-end.
Newsletter

Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week

Fathom Analytics | Fast, simple and privacy-focused website analytics. Fathom Analytics | Fast, simple and privacy-focused website analytics.
Community Partners