Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

antoniolima's avatar

Fortify works locally but not when deployed on Heroku

I've installed Fortify at work and implemented 2FA locally without any issues (i.e. users can enable it, scan the QR code, input a code to confirm and after that it will always ask for a 2FA code when logging in). Before Fortify we had some custom routes/logic to handle authentication but I ended up getting rid of it and use Fortify's routes so that all authentication "flows through" Fortify. But when I deployed the branch to our Heroku staging environment and tried to log in, I got a blank screen after the /login POST request was fired (server returns a 500 error).

After checking the logs on Heroku I saw this error:

session_cache_limiter(): Session cache limiter cannot be changed when a session is active

After fixing this, the /login POST request started returning a 405 error instead, which is weird. Yes, only the GET /login route is defined in routes.php (our own custom route) but Fortify's own routes should also be registered and if I run php artisan route:list I can see all of them.

I decided to hardcode the route just to see what would happened and added this to routes\web.php :

Route::post('/login', [\Laravel\Fortify\Http\Controllers\AuthenticatedSessionController::class, 'store']);

And sure enough, logging in worked. But I was now getting a new error:

Target [Laravel\Fortify\Contracts\LoginResponse] is not instantiable.

The user was indeed being logged in so if I tried to access any route I could navigate the website just fine. But when I tried to go to the Settings page and enable 2FA I got this error:

Route [two-factor.enable] not defined.

So it seems that all Fortify routes aren't being properly registered, somehow. I added this to the register method in FortifyServiceProvider.php:

$this->app->instance(LoginResponse::class, new class implements LoginResponse {
    public function toResponse($request)
    {
        return redirect('/');
     }
});

This did fix the previous error and allowed me to login without any issues. However, if I log in having 2FA enabled, I do get the 2FA challenge view but after inputting the 2FA code I get this error:

Target [Laravel\Fortify\Contracts\TwoFactorAuthenticationProvider] is not instantiable.

So I don't think this is the right path and there must be a root problem that is causing all these errors.

I also found this Reddit thread where someone seemed to have the same issue but sadly their solution didn't work. https://www.reddit.com/r/laravel/comments/wga7h6/fortify_api_server_returning_405_on_all_fortify/

I've spent several days trying to fix this so any help will be much appreciated!

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

It sounds like the issue is related to the routes not being properly registered. You mentioned that you can see all of the Fortify routes when you run php artisan route:list, so it seems like the routes are being registered, but something is preventing them from working properly.

One thing you can try is to make sure that the FortifyServiceProvider is being registered in your config/app.php file. You can check this by looking for the Laravel\Fortify\FortifyServiceProvider::class entry in the providers array. If it's not there, you can add it and see if that helps.

Another thing you can try is to make sure that the Fortify middleware is being registered in your app/Http/Kernel.php file. You can check this by looking for the \Laravel\Fortify\Http\Middleware\Authenticate::class entry in the $routeMiddleware array. If it's not there, you can add it and see if that helps.

If neither of these solutions work, you can try to debug the issue further by using the dd() helper function to inspect the $request object in the AuthenticatedSessionController class. You can add the following code to the store() method in the AuthenticatedSessionController class:

public function store(Request $request)
{
    dd($request);
    // ...
}

This will output the contents of the $request object to the browser, which should give you some more information about what is causing the issue.

I hope this helps!

antoniolima's avatar

@LaryAI That was a great AI answer!

So, FortifyServiceProvider is definitely registered otherwise it wouldn't work locally either.

Regarding the Fortify middleware... I don't think that's a thing, right? \Laravel\Fortify\Http\Middleware\Authenticate doesn't exist.

As for using dd() within Fortify's source code, it's not an option unfortunately. Heroku does a fresh installation of the entire application and its dependencies every time something is deployed so I don't have direct access to the files; I can see them and run some things like artisan or tinker but it's not the same as a local environment.

johnDoe220's avatar
chmod 775 laravelapp
chmod 775 laravelapp/storage
chmod 775 laravelapp/bootstrap/cache
chmod q+w ./storage -R

Please or to participate in this conversation.