fix: prevent redirectUsersTo from overwriting guest redirect callback

[aydinza]

Problem

When redirectGuestsTo() and redirectUsersTo() are called seperately in bootstrap/app.php:

$middleware->redirectGuestsTo(fn (Request $request) => route('login'));
$middleware->redirectUsersTo(fn (Request $request) => route('dashboard'));

The second call (redirectUsersTo) somehow overwrites the guest redirect callback, causing unauth requests to receive a 401 response instead of being redirected to the login page.

Root cause

In Middleware::redirectTo(), the $guests parameter defaults to null. The condition on line 564:

$guests = is_string($guests) || is_null($guests) ? fn () => $guests : $guests;

wraps null into fn () => null — a truth closure — which passes the if ($guests) guard and overwrites the previously configured guest redirect callback with one that returns null.

The exception handler then receives null from $exception->redirectTo() and returns response()->noContent(401) instead of redirecting.

Workaround

Using a single redirectTo() call with both parameters avoids the issue:

$middleware->redirectTo(
    guests: fn (Request $request) => route('login'),
    users: fn (Request $request) => route('dashboard'),
);

Solution

Remove is_null() from the aforementioned condition so that a default null parameter stays null and is naturally skipped by the if ($guests) guard:

$guests = is_string($guests) ? fn () => $guests : $guests;

Tests

Added two tests:

• testRedirectUsersToDoesNotOverwriteRedirectGuestsTo — verifies the Authenticate and AuthenticationException callbacks remain intact after calling both redirectGuestsTo() and redirectUsersTo().
• testRedirectGuestsToWithCallable — verifies callable-based guest redirect works correctly alongside redirectUsersTo().

[aydinza]

looks like the fix landed in 451fd57 — same one-liner we proposed here. glad it's resolved! 🤝