301 Redirect to /login after posting with AJAX even though I'm logged in.

Hey all, I setup a admin route group in RouteServiceProvider.php with web middleware group and auth middleware:

protected function mapAdminRoutes()
{
        Route::prefix('admin')
            ->middleware(['web', 'auth'])
            ->namespace($this->namespace.'\Admin')
            ->group(base_path('routes/admin.php'));
}
        

Here's what my app/Http/Kernel.php looks like:

class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     *
     * These middleware are run during every request to your application.
     *
     * @var array
     */
    protected $middleware = [
        \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
        \Barryvdh\Cors\HandleCors::class,
        \Frenzy\Turbolinks\Middleware\StackTurbolinks::class,
    ];

    /**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\Session\Middleware\AuthenticateSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];

    /**
     * The application's route middleware.
     *
     * These middleware may be assigned to groups or used individually.
     *
     * @var array
     */
    protected $routeMiddleware = [
        'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
    ];
}

I have this route registered in routes/admin.php:

Route::post('/poems/update-order', 'PoemController@updateOrder');

I'm posting to this route client-side when I'm already logged in like so:

fetch('/admin/poems/update-order', {
      method: 'POST',
      body: JSON.stringify({
            order: order                
      }),
      headers: {                
            'Content-Type': 'application/json',
            'X-CSRF-TOKEN': window.Laravel.csrfToken
      }
})

And I'm getting a 302 redirect to /login. I've done a bunch of reading on this and it seems like the app should be picking up the user from session. For what it's worth, I've tried to use both file and cookie session drivers with the same result. I've tried a bunch of different things but the only thing that seems to work is removing the auth middleware. However, I need this to ensure the user is logged in when making the request. Anyone else run into this? I'm currently on Laravel v5.5.39.

Also, just to verify, here's what the route looks like when I list routes:

| | POST | admin/poems/update-order | | App\Http\Controllers\Admin\PoemController@updateOrder | web,auth |

I've seen this thread referenced a lot:

https://laravel.io/forum/02-09-2016-52-ajax-auth-not-picking-up-session

But, as you can see, I'm not using an api middleware group or anything, so I don't think I'm missing any middleware.