Let's tackle your two multi-auth problems one by one. These are common pitfalls when setting up separate admin/user authentication in Laravel, so we'll go through the most likely causes and fixes step by step.

Issue 1: Any password allows access to the Dashboard #

This means your login logic isn't actually validating the password against the admin record. Here's what to check:

1. Verify your LoginController's guard and credential logic #

First, make sure your Admin/LoginController is using the correct guard and validating both email and password:

namespace App\Http\Controllers\Admin;

use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Support\Facades\Auth;

class LoginController extends Controller
{
    use AuthenticatesUsers;

    // Redirect to admin dashboard after login
    protected $redirectTo = '/admin/dashboard';

    // Specify the admin guard for authentication
    protected function guard()
    {
        return Auth::guard('admin');
    }

    // Ensure credentials include both email and password
    protected function credentials(\Illuminate\Http\Request $request)
    {
        return $request->only('email', 'password');
    }
}

If you've overridden the attemptLogin method, double-check that you're passing both the email and password to the attempt call. A common mistake is omitting the password field here, which lets any password pass as long as the email exists.

2. Check your Admin model's password field #

Ensure your Admin model uses the correct password field (default is password). If your admin table uses a different field name (like admin_password), override the getAuthPassword method:

namespace App\Models;

use Illuminate\Foundation\Auth\User as Authenticatable;

class Admin extends Authenticatable
{
    protected $fillable = ['email', 'password'];

    // Only needed if your password field isn't named 'password'
    public function getAuthPassword()
    {
        return $this->admin_password;
    }
}

3. Confirm admin passwords are hashed #

When creating admin records (via seeder or admin panel), always hash the password using Hash::make():

// Example admin seeder
Admin::create([
    'email' => 'admin@example.com',
    'password' => Hash::make('secure-password-123'), // Never store plain text!
]);

If passwords are stored in plain text, Laravel's attempt method will still hash the input password and compare it—so plain text passwords won't match unless you input the exact plain text. But if you're seeing any password work, this isn't the issue (it's the credential validation step above).

Issue 2: Redirected back to login after accessing any Dashboard link #

This happens when the authentication middleware isn't checking the correct guard, so Laravel thinks the admin isn't authenticated. Here's how to fix it:

1. Use the correct middleware for admin routes #

In your admin route group, make sure you're using the auth:admin middleware (not just auth, which uses the default web guard):

// routes/web.php or routes/admin.php
use App\Http\Controllers\Admin\DashboardController;

Route::prefix('admin')->name('admin.')->group(function () {
    // Public admin routes (login, password reset)
    Route::get('login', [\App\Http\Controllers\Admin\LoginController::class, 'showLoginForm'])->name('login');
    Route::post('login', [\App\Http\Controllers\Admin\LoginController::class, 'login']);
    Route::post('logout', [\App\Http\Controllers\Admin\LoginController::class, 'logout'])->name('logout');

    // Protected admin routes (dashboard, etc.)
    Route::middleware('auth:admin')->group(function () {
        Route::get('dashboard', [DashboardController::class, 'index'])->name('dashboard');
        // Add all other admin routes here
    });
});

The auth:admin middleware tells Laravel to check if the user is authenticated via the admin guard, not the default web guard used for regular users.

2. Update the RedirectIfAuthenticated middleware #

This middleware runs on login routes to redirect authenticated users. Make sure it handles the admin guard correctly to avoid unexpected redirects:

namespace App\Http\Middleware;

use App\Providers\RouteServiceProvider;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class RedirectIfAuthenticated
{
    public function handle(Request $request, Closure $next, ...$guards)
    {
        $guards = empty($guards) ? [null] : $guards;

        foreach ($guards as $guard) {
            if (Auth::guard($guard)->check()) {
                // Redirect admins to admin dashboard, regular users to home
                return $guard === 'admin' 
                    ? redirect()->route('admin.dashboard') 
                    : redirect(RouteServiceProvider::HOME);
            }
        }

        return $next($request);
    }
}

3. Validate your auth.php config #

Double-check your config/auth.php to ensure the admin guard and provider are correctly set up:

return [
    'defaults' => [
        'guard' => 'web',
        'passwords' => 'users',
    ],

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'admin' => [
            'driver' => 'session',
            'provider' => 'admins',
        ],
    ],

    'providers' => [
        'users' => [
            'driver' => 'eloquent',
            'model' => App\Models\User::class,
        ],

        'admins' => [
            'driver' => 'eloquent',
            'model' => App\Models\Admin::class,
        ],
    ],

    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => 'password_resets',
            'expire' => 60,
            'throttle' => 60,
        ],
        'admins' => [
            'provider' => 'admins',
            'table' => 'admin_password_resets',
            'expire' => 60,
            'throttle' => 60,
        ],
    ],
];

Key points:

• The admin guard uses the session driver and admins provider.
• The admins provider points to your Admin model.
• Add a password reset config for admins if you need that functionality.

4. Check the Authenticate middleware #

The default Authenticate middleware should handle multiple guards out of the box, but confirm it hasn't been modified to ignore the admin guard. The default code looks like this:

namespace App\Http\Middleware;

use Closure;
use Illuminate\Auth\Middleware\Authenticate as Middleware;

class Authenticate extends Middleware
{
    protected function redirectTo($request)
    {
        if (!$request->expectsJson()) {
            // Redirect unauthenticated admins to admin login, users to regular login
            return $request->is('admin/*') 
                ? route('admin.login') 
                : route('login');
        }
    }
}

The redirectTo method ensures unauthenticated users are sent to the correct login page based on the route.

Quick Debugging Tips #

• In your admin dashboard controller, add dd(Auth::guard('admin')->check()); to see if the admin is actually authenticated. If this returns false, your guard configuration is the issue.
• Clear your browser cookies and Laravel cache (php artisan cache:clear, php artisan config:clear) to rule out stale configuration or session issues.

内容的提问来源于stack exchange，提问作者Rabee Dakhli