Laravel Version
13.4
PHP Version
8.4.16
Database Driver & Version
10.4.28-MariaDB
Description
Description
After upgrading from Laravel 12 to Laravel 13 using the Laravel Boost MCP upgrade tool (via Claude AI), configuring $middleware->redirectUsersTo() in bootstrap/app.php causes unauthenticated requests to return a 401 Unauthorized HTTP error instead of redirecting to the login page.
Upgrade Method
The upgrade was performed using Laravel Boost MCP (laravel-boost:upgrade-laravel-v13 and laravel-boost:upgrade-inertia-v3 commands) which automated the following changes:
Updated laravel/framework from ^12.0 to ^13.0
Updated laravel/tinker from ^2.10.1 to ^3.0
Updated inertiajs/inertia-laravel from ^2.0 to ^3.0
Updated @inertiajs/vue3 from ^2.3.7 to ^3.0
Renamed CSRF middleware reference from ValidateCsrfToken to PreventRequestForgery in config/sanctum.php
Added serializable_classes option to config/cache.php
Republished config/inertia.php with new v3 structure
Steps to Reproduce
Upgrade Laravel 12 + Inertia v2 project to Laravel 13 + Inertia v3
Configure middleware in bootstrap/app.php:
->withMiddleware(function (Middleware $middleware): void {
$middleware->redirectGuestsTo('/login');
$middleware->redirectUsersTo('/'); // Adding this line causes the issue
$middleware->web(append: [
HandleInertiaRequests::class,
// ...
]);
})
Visit / (auth-protected route) as an unauthenticated user
Expected: Redirect to /login
Actual: Browser shows HTTP ERROR 401
Workaround
Removing $middleware->redirectUsersTo('/') resolves the issue - unauthenticated users are correctly redirected to /login.
Environment
Laravel: 13.4.0 (upgraded from 12.56.0)
Inertia Server: 3.0.6 (upgraded from 2.0.24)
Inertia Client: @inertiajs/vue3 3.0.3 (upgraded from 2.3.7)
PHP: 8.4
OS: macOS
Upgrade Tool: Laravel Boost MCP via Claude AI
Notes
The issue only occurs when both redirectGuestsTo() AND redirectUsersTo() are configured together
Using closures with route() helper causes the same issue
redirectGuestsTo() alone works correctly
This worked correctly in Laravel 12
Steps To Reproduce
Create a fresh Laravel 13 project or upgrade from Laravel 12:
composer create-project laravel/laravel bug-report
cd bug-report
Install Inertia:
composer require inertiajs/inertia-laravel:^3.0
npm install @inertiajs/vue3@^3.0
Configure bootstrap/app.php with both redirect methods:
->withMiddleware(function (Middleware $middleware): void {
$middleware->redirectGuestsTo('/login');
$middleware->redirectUsersTo('/'); // This causes the issue
})
Create a protected route in routes/web.php:
Route::middleware('auth')->group(function () {
Route::get('/', function () {
return 'Dashboard';
});
});
Route::get('/login', function () {
return 'Login Page';
})->name('login');
Start the server:
php artisan serve
Visit http://127.0.0.1:8000/ in browser (not logged in)
Expected: Redirect to /login
Actual: HTTP ERROR 401
Remove $middleware->redirectUsersTo('/') from bootstrap/app.php
Visit http://127.0.0.1:8000/ again
Result: Now correctly redirects to /login
Laravel Version
13.4
PHP Version
8.4.16
Database Driver & Version
10.4.28-MariaDB
Description
Description
After upgrading from Laravel 12 to Laravel 13 using the Laravel Boost MCP upgrade tool (via Claude AI), configuring $middleware->redirectUsersTo() in bootstrap/app.php causes unauthenticated requests to return a 401 Unauthorized HTTP error instead of redirecting to the login page.
Upgrade Method
The upgrade was performed using Laravel Boost MCP (laravel-boost:upgrade-laravel-v13 and laravel-boost:upgrade-inertia-v3 commands) which automated the following changes:
Updated laravel/framework from ^12.0 to ^13.0
Updated laravel/tinker from ^2.10.1 to ^3.0
Updated inertiajs/inertia-laravel from ^2.0 to ^3.0
Updated @inertiajs/vue3 from ^2.3.7 to ^3.0
Renamed CSRF middleware reference from ValidateCsrfToken to PreventRequestForgery in config/sanctum.php
Added serializable_classes option to config/cache.php
Republished config/inertia.php with new v3 structure
Steps to Reproduce
Upgrade Laravel 12 + Inertia v2 project to Laravel 13 + Inertia v3
Configure middleware in bootstrap/app.php:
->withMiddleware(function (Middleware $middleware): void {
$middleware->redirectGuestsTo('/login');
$middleware->redirectUsersTo('/'); // Adding this line causes the issue
})
Visit / (auth-protected route) as an unauthenticated user
Expected: Redirect to /login
Actual: Browser shows HTTP ERROR 401
Workaround
Removing $middleware->redirectUsersTo('/') resolves the issue - unauthenticated users are correctly redirected to /login.
Environment
Laravel: 13.4.0 (upgraded from 12.56.0)
Inertia Server: 3.0.6 (upgraded from 2.0.24)
Inertia Client: @inertiajs/vue3 3.0.3 (upgraded from 2.3.7)
PHP: 8.4
OS: macOS
Upgrade Tool: Laravel Boost MCP via Claude AI
Notes
The issue only occurs when both redirectGuestsTo() AND redirectUsersTo() are configured together
Using closures with route() helper causes the same issue
redirectGuestsTo() alone works correctly
This worked correctly in Laravel 12
Steps To Reproduce
Create a fresh Laravel 13 project or upgrade from Laravel 12:
composer create-project laravel/laravel bug-report
cd bug-report
Install Inertia:
composer require inertiajs/inertia-laravel:^3.0
npm install @inertiajs/vue3@^3.0
Configure bootstrap/app.php with both redirect methods:
->withMiddleware(function (Middleware $middleware): void {
$middleware->redirectGuestsTo('/login');
$middleware->redirectUsersTo('/'); // This causes the issue
})
Create a protected route in routes/web.php:
Route::middleware('auth')->group(function () {
Route::get('/', function () {
return 'Dashboard';
});
});
Route::get('/login', function () {
return 'Login Page';
})->name('login');
Start the server:
php artisan serve
Visit http://127.0.0.1:8000/ in browser (not logged in)
Expected: Redirect to /login
Actual: HTTP ERROR 401
Remove $middleware->redirectUsersTo('/') from bootstrap/app.php
Visit http://127.0.0.1:8000/ again
Result: Now correctly redirects to /login