Contributed by
Kevin Bond
in
#59929
and #60155

The Rate Limiter component lets you to control how often a certain event can
occur. It's commonly used to to limit login attempts, restrict file downloads,
enforce request limits in your APIs, and more.
Sometimes, your rate limiting policies can be complex and require combining
multiple individual policies. While this has been possible using the
CompoundLimiter class, it previously required custom logic on your end.
In Symfony 7.3, we've improved this with configurable compound limiters.
For example, to configure a compound rate limiter for your contact form:

# config/packages/framework.yaml
framework:
rate_limiter:
two_per_minute:
policy: 'fixed_window'
limit: 2
interval: '1 minute'
five_per_hour:
policy: 'fixed_window'
limit: 5
interval: '1 hour'
lock_factory: null
contact_form:
policy: 'compound'
limiters: [two_per_minute, five_per_hour]

With this setup, users can send up to two contact messages per minute, and no more
than five messages within an hour. In your controller or service, inject this
rate limiter just like any other limiter:

public function contactAction(RateLimiterFactoryInterface $contactFormLimiter)
{
// $contactFormLimiter is a CompoundRateLimiterFactory containing
// "two_per_minute" & "five_per_hour"
}

Sponsor the Symfony project.