Allow configs to be added to frontend form and auth end routes

ryanmitchell · ryanmitchell · commit fe4629e7e6e7 · 2026-04-10T11:37:22.000+01:00
diff --git a/config/routes.php b/config/routes.php
@@ -53,4 +53,30 @@
 
     'middleware' => 'web',
 
+    /*
+    |--------------------------------------------------------------------------
+    | Auth Route Middleware
+    |--------------------------------------------------------------------------
+    |
+    | Additional middleware applied to the frontend auth routes (login,
+    | register, password reset, etc). Useful for rate limiting, e.g.
+    | 'throttle:4,1' to allow 4 attempts per minute.
+    |
+    */
+
+    'auth_middleware' => [],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Forms Route Middleware
+    |--------------------------------------------------------------------------
+    |
+    | Additional middleware applied to the frontend form submission route.
+    | Useful for rate limiting, e.g. 'throttle:30,1' to allow 30 submissions
+    | per minute.
+    |
+    */
+
+    'forms_middleware' => [],
+
 ];
diff --git a/routes/web.php b/routes/web.php
@@ -34,12 +34,12 @@
 
 Route::name('statamic.')->group(function () {
     Route::group(['prefix' => config('statamic.routes.action')], function () {
-        Route::post('forms/{form}', [FormController::class, 'submit'])->middleware([HandlePrecognitiveRequests::class])->name('forms.submit');
+        Route::post('forms/{form}', [FormController::class, 'submit'])->middleware(array_merge([HandlePrecognitiveRequests::class], (array) config('statamic.routes.forms_middleware', [])))->name('forms.submit');
 
         Route::get('protect/password', [PasswordProtectController::class, 'show'])->name('protect.password.show')->middleware([HandleInertiaRequests::class]);
         Route::post('protect/password', [PasswordProtectController::class, 'store'])->name('protect.password.store');
 
-        Route::group(['prefix' => 'auth', 'middleware' => [AuthGuard::class]], function () {
+        Route::group(['prefix' => 'auth', 'middleware' => array_merge([AuthGuard::class], (array) config('statamic.routes.auth_middleware', []))], function () {
             Route::get('logout', [LoginController::class, 'logout'])->name('logout');
 
             Route::group(['middleware' => [HandlePrecognitiveRequests::class]], function () {
