leezard/app/Http/Middleware/PasswordResetThrottle.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;
use Symfony\Component\HttpFoundation\Response;

class PasswordResetThrottle
{
    public function handle(Request $request, Closure $next): Response
    {
        $key = 'password-reset:' . $request->ip();

        if (RateLimiter::tooManyAttempts($key, 5)) {
            $seconds = RateLimiter::availableIn($key);
            return back()->with('error', "Troppi tentativi. Riprova tra {$seconds} secondi.");
        }

        RateLimiter::hit($key, 3600); // 1 hour

        return $next($request);
    }
}