Debugging 401 Unauthorized on Laravel web/auth route

Authenticate.php

class Authenticate extends \Illuminate\Auth\Middleware\Authenticate
{
    protected function redirectTo($request)
    {
        if (! $request->expectsJson()) {
            return route('login');
        }
    }
}

csrf.js

const csrfToken = document.head.querySelector('meta[name="csrf-token"]');

if (csrfToken) {
    result = csrfToken.content
      if (!result) console.error('CSRF token is empty. Session has expired.');
} else {    
    console.error('CSRF token not found.');
    result = null
}

export default result;

FileList.script.js

import bytesToSize from '@netshapers/resources/js/util/bytesToSize';
import Dropzone from 'dropzone';
import csrfToken from '@netshapers/resources/js/util/csrf';

export default {
    props: {
        id: Number, // directory id
        items: Array
    },
     data() {
      return {
        fields: [
          {
            key: 'title',
            sortable: true
          },
          {
            key: 'name',
            sortable: true
          },
          {
            key: 'size',
            sortable: true,
            formatter: bytesToSize
          },
          {
            key: 'created-at',
            sortable: true,
            label: 'Date'
          },
          {
            key: 'actions',
            label: '',
            headerTitle: 'Actions',
            sortable: false
          },
        ],
      }
    },
    methods: {        
        totalSize() {
            return bytesToSize(this.items.reduce(
              (accumulator,item) => accumulator + item.size
            , 0));
        },
        removeIncomingItems() {
            for (let x in items) {
              if (items.incoming) delete items[x];
            }
            this.dragging = false;
        },
    },
    mounted() {
      const vm = this;
      const id = this.id;
      this.dropzone = new Dropzone(document.body, { // Make the whole body a dropzone
        url: "/directories/"+id+'/upload', // Set the url
        clickable: "#add-file", // Define the element that should be used as click trigger to select files.
        previewTemplate: "<tr class=\"dz-preview dz-file-preview\"><td></td><td class=\"dz-filename\"><span data-dz-name></span></td class=\"dz-size\" data-dz-size><td></td><td>Now</td><td></td></tr>",
        headers: { 
          'X-CSRF-TOKEN': csrfToken,
          'X-Requested-With': 'XMLHttpRequest',
          //'Authorization': 'Bearer '+csrfToken
        },       
      });
      this.dropzone.on('success', file => {
        vm.$emit('dropzone-success', file, vm.dropzone.element);
      });
      this.dropzone.on('addedfile', file => {
        vm.$emit('dropzone-fileAdded', file);
      });
      this.dropzone.on('removedfile', file => {
        vm.$emit('dropzone-removedFile', file);
      });
      this.dropzone.on('error', (file, error, xhr) => {
        vm.$emit('dropzone-error', file, error, xhr);
      });
      this.dropzone.on('successmultiple', (file, error, xhr) => {
        vm.$emit('dropzone-successmultiple', file, error, xhr);
      });
    }
}

Kernel.php

class Kernel extends \Illuminate\Foundation\Http\Kernel
{
    protected $middleware = [
        \App\Http\Middleware\TrustProxies::class,
        \App\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
    ];
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            // \Illuminate\Session\Middleware\AuthenticateSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

        'api' => [
            'throttle:60,1',
            'bindings',
        ],
    ];
    protected $routeMiddleware = [
        'auth' => \App\Http\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
    ];
    protected $middlewarePriority = [
        \Illuminate\Session\Middleware\StartSession::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\Authenticate::class,
        \Illuminate\Session\Middleware\AuthenticateSession::class,
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
        \Illuminate\Auth\Middleware\Authorize::class,
    ];
}

routes.php

Route::middleware('auth:web')
    ->group(function()  {

Route::post('/directories/{id}/upload','DirectoryController@upload')->name('directories.upload');

});

Laravel calls \Illuminate\Auth\Middleware\Authenticate::authenticate with no guards. With no guards, it throws an AuthenticationException. artisan route:list confirms that the directories.upload route has the auth and web middlewares, but maybe Laravel isn't including them?