I am building an API by using Laravel 8 with Fortify and without Jetstream. I enabled and integrated two-factor authentication and it works well, but just stumbled upon an issue which I do not know if it's by design or a bug.
So, the problem is when user is logging in and he enters the 2fa code wrongly for the first time. In this case, on all subsequent entries, even if the code is correct and valid, it will reject it. After some digging around, I noticed that the login.id stored in session in Laravel\Fortify\Actions\RedirectIfTwoFactorAuthenticatable::twoFactorChallengeResponse is cleared out if the code entered first time is invalid. On all subsequent requests, the login.id in Laravel\Fortify\Http\Requests\TwoFactorLoginRequest::challengedUser() is returning null.
So, my question is: is this intentional and by design? Or did I discover a bug?
My reasoning is that this is a bug because user already provided username and password, now he only needs to enter valid 2fa code to login completely, so not sure why forcing user to enter username and password again if they typed 2fa code wrongly for the first time.
