auth.apikey must be placed before throttling middleware ?

[damsvann]

Half a comment / Half a question

Laravel: v5.6
api-guard: v4.1

In the Http/Kernel.php file, middleware section I noticed that

Is half-working since the user won't be set in the $request object throttling middleware class. $request->user() will always return null.

        'api' => [
            'throttle:rate_limit,1',
            'auth.apikey',
            ...
        ],

The following is working though

        'api' => [
            'auth.apikey',
            'throttle:rate_limit,1',
            ...
        ],

As far as I remember middlewares are prioritized so this may be expected, but the documentation is wrong and should be

/**
 * The application's route middleware groups.
 *
 * @var array
 */
protected $middlewareGroups = [
    ...

    'api' => [
        'auth.apikey',
        'throttle:60,1',
        'bindings',
    ],
];

Correct me if I am wrong, I'll be pleased to assist and give more details on our laravel setup.

Edited:
Just to clarify our use case, we want to accept visitor and limit their rate with a really low threshold. To do so we need to change the middleware to not send a unauthorized response.