- Add global instanceSettings()->oauth_only check in FortifyServiceProvider
- ResetUserPassword: Use ValidationException instead of Exception, add global check
- UpdateUserPassword: Use ValidationException instead of Exception, add global check
The login and forgot-password rate limiters were vulnerable to bypass
by manipulating the X-Forwarded-For header. Attackers could rotate
this header value to circumvent the 5 attempts per minute limit.
Changed both rate limiters to use server('REMOTE_ADDR') instead of
ip() to prevent header spoofing. REMOTE_ADDR gives the actual
connecting IP before proxy headers are processed.
Also added comprehensive unit tests to verify the fix.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Support azure, bitbucket, github, gitlab, google providers
- Add authentication page to settings
Co-authored-by: Suraj Kumar <srjkmr1024@gmail.com>
Co-authored-by: Michael Castanieto <mcastanieto@gmail.com>
Co-authored-by: Mike Kim <m.kim4247@gmail.com>