symfony
diff --git a/‎src/Symfony/Component/HttpFoundation/RateLimiter/AbstractRequestRateLimiter.php
+13-3 b/‎src/Symfony/Component/HttpFoundation/RateLimiter/AbstractRequestRateLimiter.php
+13-3
diff --git a/‎src/Symfony/Component/HttpFoundation/RateLimiter/PeekableRequestRateLimiterInterface.php
+35 b/‎src/Symfony/Component/HttpFoundation/RateLimiter/PeekableRequestRateLimiterInterface.php
+35
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/LoginThrottlingListener.php
+25-5 b/‎src/Symfony/Component/Security/Http/EventListener/LoginThrottlingListener.php
+25-5
@@ -17,14 +17,24 @@
 use Symfony\Component\RateLimiter\RateLimit;
 
 /**
- * An implementation of RequestRateLimiterInterface that
+ * An implementation of PeekableRequestRateLimiterInterface that
  * fits most use-cases.
  *
  * @author Wouter de Jong <wouter@wouterj.nl>
  */
-abstract class AbstractRequestRateLimiter implements RequestRateLimiterInterface
+abstract class AbstractRequestRateLimiter implements PeekableRequestRateLimiterInterface
 {
     public function consume(Request $request): RateLimit
+    {
+        return $this->doConsume($request, 1);
+    }
+
+    public function peek(Request $request): RateLimit
+    {
+        return $this->doConsume($request, 0);
+    }
+
+    private function doConsume(Request $request, int $tokens)
     {
         $limiters = $this->getLimiters($request);
         if (0 === \count($limiters)) {
@@ -33,7 +43,7 @@ public function consume(Request $request): RateLimit
 
         $minimalRateLimit = null;
         foreach ($limiters as $limiter) {
-            $rateLimit = $limiter->consume(1);
+            $rateLimit = $limiter->consume($tokens);
 
             if (null === $minimalRateLimit || $rateLimit->getRemainingTokens() < $minimalRateLimit->getRemainingTokens()) {
                 $minimalRateLimit = $rateLimit;
 
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation\RateLimiter;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\RateLimiter\RateLimit;
+
+/**
+ * A request limiter which allows peeking ahead.
+ *
+ * This is valuable to reduce the cache backend load in scenarios
+ * like a login when we only want to consume a token on login failure,
+ * and where the majority of requests will be successful and thus not
+ * need to consume a token.
+ *
+ * This way we can peek ahead before allowing the request through, and
+ * only consume if the request failed (1 backend op). This is compared
+ * to always consuming and then resetting the limit if the request
+ * is successful (2 backend ops).
+ *
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ */
+interface PeekableRequestRateLimiterInterface extends RequestRateLimiterInterface
+{
+    public function peek(Request $request): RateLimit;
+}
@@ -12,12 +12,14 @@
 namespace Symfony\Component\Security\Http\EventListener;
 
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\RateLimiter\PeekableRequestRateLimiterInterface;
 use Symfony\Component\HttpFoundation\RateLimiter\RequestRateLimiterInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Security\Core\Exception\TooManyLoginAttemptsAuthenticationException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 
 /**
@@ -44,22 +46,40 @@ public function checkPassport(CheckPassportEvent $event): void
         $request = $this->requestStack->getMainRequest();
         $request->attributes->set(Security::LAST_USERNAME, $passport->getBadge(UserBadge::class)->getUserIdentifier());
 
-        $limit = $this->limiter->consume($request);
-        if (!$limit->isAccepted()) {
+        if ($this->limiter instanceof PeekableRequestRateLimiterInterface) {
+            $limit = $this->limiter->peek($request);
+        } else {
+            $limit = $this->limiter->consume($request);
+        }
+
+        // Checking isAccepted here is not enough as peek consumes 0 token, it will
+        // be accepted even if there are 0 tokens remaining to be consumed. We check both
+        // anyway for safety in case third party implementations behave unexpectedly.
+        if (!$limit->isAccepted() || 0 === $limit->getRemainingTokens()) {
             throw new TooManyLoginAttemptsAuthenticationException(ceil(($limit->getRetryAfter()->getTimestamp() - time()) / 60));
         }
     }
 
-    public function onSuccessfulLogin(LoginSuccessEvent $event): void
+    public function onLoginFailure(LoginFailureEvent $event): void
     {
-        $this->limiter->reset($event->getRequest());
+        if ($this->limiter instanceof PeekableRequestRateLimiterInterface) {
+            $this->limiter->consume($event->getRequest());
+        }
+    }
+
+    public function onLoginSuccess(LoginSuccessEvent $event): void
+    {
+        if (!$this->limiter instanceof PeekableRequestRateLimiterInterface) {
+            $this->limiter->reset($event->getRequest());
+        }
     }
 
     public static function getSubscribedEvents(): array
     {
         return [
             CheckPassportEvent::class => ['checkPassport', 2080],
-            LoginSuccessEvent::class => 'onSuccessfulLogin',
+            LoginFailureEvent::class => 'onLoginFailure',
+            LoginSuccessEvent::class => 'onLoginSuccess',
         ];
     }
 }