Authentication Issue

[bobwurtz]

Hello - I have been experiencing an authentication issue ever since upgrading to Laravel 9. Sometimes, a user will properly enter their credentials but the result of Auth::check() is false. I can demonstrate this with a browser test through Dusk:

<?php

namespace Tests\Browser;

use App\Models\Cafe;
use App\Models\Role;
use App\Models\User;
use App\Models\UserToCafe;
use Illuminate\Foundation\Testing\DatabaseMigrations;
use Laravel\Dusk\Browser;
use Tests\DuskTestCase;

class LoginTest extends DuskTestCase
{
    /** @test */
    public function a_user_can_login_correctly()
    {
        $roleId = Role::where('name', 'cafe_user')->value('id');

        $user = User::factory()
                        ->state([
                            'role_id' => $roleId,
                        ])
                        ->create();

        $this->browse(function ($browser) use ($user) {
            $browser->loginAs($user)
                    ->visit(route('cafe-menu'))
                    ->assertSeeLink('Menu');
        });
    }

    /** @test */
    public function a_user_can_login_correctly_v2()
    {
        $roleId = Role::where('name', 'cafe_user')->value('id');

        $user = User::factory()
                        ->state([
                            'role_id' => $roleId,
                        ])
                        ->create();

        $this->browse(function ($browser) use ($user) {
            $browser->visit('/login')
                    ->type('email', $user->email)
                    ->type('password', 'password')
                    ->click('button[type="submit"]')
                    ->type('email', $user->email)
                    ->type('password', 'password')
                    ->click('button[type="submit"]')
                    ->assertSeeLink('Menu');
        });
    }
}

The first test fails because authentication fails but the second one works. A workaround that I have discovered is to do the following in the middleware:

if (Auth::check() === false) {
        $request->session()->invalidate();
        $request->session()->regenerateToken();
        return redirect()->route('login');
}

Invalidating the session and regenerating the token 'fixes' the problem by forcing the user to login again. The second login attempt always works. Annoying - but it was a workaround for something that didn't happen that often so I moved on. Now, I'm beginning to write more comprehensive browser tests using Dusk so it's becoming a larger problem. Does anyone have any idea what could be causing this issue?

Here are the relevant routes:

Route::domain('cafe.'.config('app.domain'))->middleware(['cafe'])->group(function () {
    // show the menu
    Route::get('/contact', [ContactController::class, 'index'])->name('cafe-contact');

    // show the menu
    Route::get('/menu', [MenuController::class, 'index'])->name('cafe-menu');

    // show the cart
    Route::get('/cart', [CartController::class, 'index'])->name('cafe-cart');

    // show orders
    Route::get('/orders', [OrdersController::class, 'index'])->name('cafe-orders');

    // admin portal
    Route::get('/admin', [AdminController::class, 'index'])->name('cafe-admin');

    // profile
    Route::get('/user/cafe/profile', [ProfileController::class, 'index'])->name('cafe-user-profile');
});

And here is the middleware:

<?php

namespace App\Http\Middleware;

use App\Models\UserToCafe;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class CafeCustomer
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next)
    {
        // must be a cafe_user
        if (Auth::check() === false) {
            $request->session()->invalidate();
            $request->session()->regenerateToken();
            return redirect()->route('login');
        }

        if (UserToCafe::where('user_id', Auth::id())->count() === 0) {
            return redirect()->route('welcome');
        }

        // check for password reset force
        if ($request->user()->reset_password == 1 && strpos($request->path(), 'profile') == false) {
            session()->flash('info', 'You must reset your password before continuing.');

            return redirect()->route('cafe-user-profile');
        }

        return $next($request);
    }
}

Thank you!