Laravel Fortify can only work with the web guard. Some things work, when more than 1 guard is configured, but GET /settings/password-confirm and some more routes do not.
Here is a middleware approach that authenticates the user against multiple guards.
Change files accordingly.
app/Providers/FortifyServiceProvider.php
Add a function configurePasswordConfirmation() to the boot() method, that validates the User against different guards.
<?php
namespace App\Providers;
use App\Actions\Fortify\CreateNewUser;
use App\Actions\Fortify\ResetUserPassword;
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Support\ServiceProvider;
use Illuminate\Support\Str;
use Laravel\Fortify\Fortify;
class FortifyServiceProvider extends ServiceProvider
{
/**
* Register any application services.
*/
public function register(): void
{
}
/**
* Bootstrap any application services.
*/
public function boot(): void
{
$this->configureActions();
$this->configureViews();
$this->configureRateLimiting();
$this->configurePasswordConfirmation();
}
/**
* Configure Fortify actions.
*/
private function configureActions(): void
{
Fortify::resetUserPasswordsUsing(ResetUserPassword::class);
Fortify::createUsersUsing(CreateNewUser::class);
}
/**
* Configure Fortify views.
*/
private function configureViews(): void
{
Fortify::loginView(fn () => view('livewire.auth.login'));
Fortify::verifyEmailView(fn () => view('livewire.auth.verify-email'));
Fortify::twoFactorChallengeView(fn () => view('livewire.auth.two-factor-challenge'));
Fortify::confirmPasswordView(fn () => view('livewire.auth.confirm-password'));
Fortify::registerView(fn () => view('livewire.auth.register'));
Fortify::resetPasswordView(fn () => view('livewire.auth.reset-password'));
Fortify::requestPasswordResetLinkView(fn () => view('livewire.auth.forgot-password'));
}
/**
* Configure password confirmation to support multiple guards.
*/
private function configurePasswordConfirmation(): void
{
// Validate the provided password against the currently authenticated user
// from ANY configured guard (e.g., 'web' or 'admin').
Fortify::confirmPasswordsUsing(function (?AuthenticatableContract $user, string $password): bool {
// If Fortify didn't resolve a user (because it's bound to a specific guard),
// try to detect the active guard's user.
if (! $user) {
foreach (array_keys(config('auth.guards', [])) as $guard) {
if (Auth::guard($guard)->check()) {
$user = Auth::guard($guard)->user();
break;
}
}
}
if (! $user) {
return false;
}
// Use Laravel's hasher to validate the password against the model's stored hash.
return Hash::check($password, $user->getAuthPassword());
});
}
/**
* Configure rate limiting.
*/
private function configureRateLimiting(): void
{
RateLimiter::for('two-factor', function (Request $request) {
return Limit::perMinute(5)->by($request->session()->get('login.id'));
});
RateLimiter::for('login', function (Request $request) {
$throttleKey = Str::transliterate(Str::lower($request->input(Fortify::username())).'|'.$request->ip());
return Limit::perMinute(5)->by($throttleKey);
});
}
}config/auth.php
Here you have to add the guards, configure their providers and their AUTH_PASSWORD_RESET_TOKEN_TABLE.
This setup is meant to authenticate admin users against a different Model with a different DB table. If you don’t need separate tables, change provider and password entry.
...
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'admin' => [ // second guard
'driver' => 'session',
'provider' => 'admins',
],
],
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
'admins' => [
'driver' => 'eloquent',
'model' => App\Models\Adminuser::class,
],
],
'passwords' => [
'users' => [
'provider' => 'users',
'table' => env('AUTH_PASSWORD_RESET_TOKEN_TABLE', 'password_reset_tokens'),
'expire' => 60,
'throttle' => 60,
],
'admins' => [
'provider' => 'admins',
'table' => 'password_reset_tokens_admins',
'expire' => 60,
'throttle' => 60,
],
],
...config/fortify.php
Add a middleware that switches the default auth guard to whichever guard is currently authenticated.
This makes Fortify’s GET routes that use the unparameterized ‘auth’ middleware work for all guards.
...'middleware' => ['web', 'use-authenticated-guard'], // add new middleware
'auth_middleware' => 'use-authenticated-guard', // add this, too ...
app/Http/Middleware/UseAuthenticatedGuard.php
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Symfony\Component\HttpFoundation\Response;
class UseAuthenticatedGuard
{
/**
* Ensure the default guard for the request matches the already authenticated guard.
*/
public function handle(Request $request, Closure $next): Response
{
foreach (array_keys(config('auth.guards', [])) as $guard) {
if (Auth::guard($guard)->check()) {
// Set the default guard for this request lifecycle so downstream
// middleware like 'auth' without parameters will respect it.
Auth::shouldUse($guard);
break;
}
}
return $next($request);
}
}For Testing:
- Clear caches,
- logout with all users,
- and try in a private browser window, so the random cookies you have stored for all the guards on your tests dont get in the way…
Good luck!