Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

azim1728's avatar

Redirect user to password request page using middleware causes redirects in loop

I am using Nova 4 and Laravel 10.

I need to redirect user to password update page on their first login using a middleware for it. But it turns up in endless redirection. Below is my code.

Please help me out with it. Thanks in advance.

ForcePasswordReset.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Str;
use Symfony\Component\HttpFoundation\Response;


class ForcePasswordReset
{

    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        $user = auth()->user();

        if ($user && $user->passwordChangedAt === null && !$this->shouldExcludeRoute($request)) {
            return redirect()->route('nova.pages.password.email');
        }

        return $next($request);
    }

    private function shouldExcludeRoute($request)
    {
        $passwordRoutes = [
            'nova.pages.password.email',
            'nova.pages.password.reset',
            'nova.password.email',
            'nova.password.reset'
        ];

        return in_array($request->route()->getName(), $passwordRoutes);
    }
}

Kerne.php

protected $routeMiddleware = [
        // ...
        'forcePasswordReset' => \App\Http\Middleware\ForcePasswordReset::class,
    ];

config/nova.php

 'middleware' => [
        'web',
        HandleInertiaRequests::class,
        DispatchServingNovaEvent::class,
        BootTools::class,
        'forcePasswordReset',
    ],
0 likes
2 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

The issue is that the middleware is being applied to the password reset routes as well, which causes an endless loop of redirects. To fix this, you can modify the shouldExcludeRoute method to exclude the password reset routes as well:

private function shouldExcludeRoute($request)
{
    $passwordRoutes = [
        'nova.pages.password.email',
        'nova.pages.password.reset',
        'nova.password.email',
        'nova.password.reset'
    ];

    return in_array($request->route()->getName(), $passwordRoutes) || Str::startsWith($request->route()->getName(), 'password.');
}

This will exclude any route that starts with password. in addition to the existing password reset routes.

Alternatively, you can modify the middleware to only apply to specific routes instead of all routes:

public function handle(Request $request, Closure $next): Response
{
    $user = auth()->user();

    if ($user && $user->passwordChangedAt === null && !$this->shouldExcludeRoute($request)) {
        return redirect()->route('nova.pages.password.email');
    }

    return $next($request);
}

private function shouldExcludeRoute($request)
{
    $passwordRoutes = [
        'nova.pages.password.email',
        'nova.pages.password.reset',
        'nova.password.email',
        'nova.password.reset'
    ];

    return in_array($request->route()->getName(), $passwordRoutes);
}

Then, you can apply the middleware only to the routes that need it:

Route::middleware(['forcePasswordReset'])->group(function () {
    // Routes that require password reset
});
azim1728's avatar

@LaryAI I tried your suggestion but it still redirecting me in loops. How can I set middleware for all Nova route except Nova password related routes?

Please or to participate in this conversation.