From 65e5b2ecdb138a5ccf011ffb521c3393117fa95b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:32:19 +0100
Subject: [PATCH] fix: correct login rate limiter key format to include IP
 address

---
 app/Providers/FortifyServiceProvider.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Providers/FortifyServiceProvider.php b/app/Providers/FortifyServiceProvider.php
index 7dda1a2d4..85f38b967 100644
--- a/app/Providers/FortifyServiceProvider.php
+++ b/app/Providers/FortifyServiceProvider.php
@@ -139,7 +139,7 @@ public function boot(): void
             // server('REMOTE_ADDR') gives the actual connecting IP before proxy headers
             $realIp = $request->server('REMOTE_ADDR') ?? $request->ip();
 
-            return Limit::perMinute(5)->by($email.$realIp);
+            return Limit::perMinute(5)->by($email.'|'.$realIp);
         });
 
         RateLimiter::for('two-factor', function (Request $request) {