Rate limiting 

New in version 14.2

Previously, the backend and frontend password recovery features, as well as the Extbase rate limiting, each created Symfony rate limiter factories directly, bypassing TYPO3's factory. All consumers now use the central TYPO3 factory, which enables a unified admin override mechanism.

The \TYPO3\CMS\Core\RateLimiter\RateLimiterFactory is available to serve as the single entry point for all rate limiting across the system. A new \TYPO3\CMS\Core\RateLimiter\RateLimiterFactoryInterface extends Symfony's \Symfony\Component\RateLimiter\RateLimiterFactoryInterface with additional convenience methods for request-based and login rate limiting.

Extension developers should type-hint against RateLimiterFactoryInterface when injecting the factory.

Table of Contents

Overriding the rateLimiter via the TYPO3_CONF_VARS 

Example limiter ID for Extbase action 

The limiter ID for an Extbase action which uses the #[\TYPO3\CMS\Extbase\Attribute\RateLimit] attribute is constructed using the "slugified" class name and the action method name.

EXT:my_extension/Classes/Controller/MyController.php 
<?php

declare(strict_types=1);

namespace MyVendor\MyExtension\Controller;

use Psr\Http\Message\ResponseInterface;
use TYPO3\CMS\Extbase\Attribute\RateLimit;
use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;

final class MyController extends ActionController
{
    #[RateLimit(
        limit: 5,
        interval: '10 minutes',
        message: 'ratelimit.dosomething',
    )]
    public function doSomethingAction(): ResponseInterface
    {
        return $this->redirect('index');
    }
}
Copied!

The limiter ID for the action is: extbase-myvendor-myextension-controller-mycontroller-dosomethingaction

General-purpose rate limiting 

Extension developers can use the RateLimiterFactory for custom rate limiting needs.

The createRequestBasedLimiter() method is the recommended entry point for request-scoped rate limiting. It automatically extracts the client's remote IP address from the PSR-7 request and uses it as the limiter key:

EXT:my_extension/Classes/RateLimiting/MyService.php 
<?php

declare(strict_types=1);

namespace MyVendor\MyExtension\RateLimiting;

use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Core\RateLimiter\RateLimiterFactoryInterface;

final readonly class MyService
{
    public function __construct(
        private RateLimiterFactoryInterface $rateLimiterFactory,
    ) {}

    public function doSomething(ServerRequestInterface $request): void
    {
        $limiter = $this->rateLimiterFactory->createRequestBasedLimiter(
            $request,
            [
                'id' => 'my-extension-action',
                'policy' => 'sliding_window',
                'limit' => 10,
                'interval' => '1 hour',
            ],
        );

        $limit = $limiter->consume();
        if (!$limit->isAccepted()) {
            // handle rate limit exceeded
        }
    }
}
Copied!

For cases where a custom key is needed (for example, a user ID instead of the IP address), the createLimiter() method accepts an explicit configuration array and key:

$limiter = $this->rateLimiterFactory->createLimiter(
    [
        'id' => 'my-extension-action',
        'policy' => 'sliding_window',
        'limit' => 10,
        'interval' => '1 hour',
    ],
    $userId
);
Copied!

Pre-configured named services can also be defined in Services.yaml, which are then injectable with the create() method from the RateLimiterFactoryInterface :

EXT:my_extension/Configuration/Services.yaml 
services:
  # ... other configuration

  myRateLimiter:
    class: TYPO3\CMS\Core\RateLimiter\RateLimiterFactory
    arguments:
      $config:
        id: 'my-custom-limiter'
        policy: 'sliding_window'
        limit: 5
        interval: '10 minutes'
Copied!

Read how to configure dependency injection in extensions.