Jetstream Two Factor Authentication

@rg83 This is actually part of the Fortify code that Jetstream uses.

vendor/laravel/fortify/src/Http/Controllers/TwoFactorAuthenticatedSessionController.php:59

/**
 * Attempt to authenticate a new session using the two factor authentication code.
 *
 * @param  \Laravel\Fortify\Http\Requests\TwoFactorLoginRequest  $request
 * @return mixed
 */
public function store(TwoFactorLoginRequest $request)
{
    $user = $request->challengedUser();

    if ($code = $request->validRecoveryCode()) {
        $user->replaceRecoveryCode($code);  // Recovery code regenerated here
    } elseif (! $request->hasValidCode()) {
        return app(FailedTwoFactorLoginResponse::class);
    }

    $this->guard->login($user, $request->remember());

    $request->session()->regenerate();

    return app(TwoFactorLoginResponse::class);
}

This was part of Taylor's initial commit on this repo so there isn't anything documented about the decision to do this here.

I agree this isn't made clear to the user with the stock Jetstream setup. I went ahead and created an issue here:

https://github.com/laravel/fortify/issues/255

That all said, if you want to override the reset functionality... just copy this into a file called app/Http/Controllers/TwoFactorAuthenticatedSessionController.php

<?php

namespace App\Http\Controllers;

use Illuminate\Routing\Controller;
use Laravel\Fortify\Contracts\FailedTwoFactorLoginResponse;
use Laravel\Fortify\Contracts\TwoFactorLoginResponse;
use Laravel\Fortify\Http\Requests\TwoFactorLoginRequest;

class TwoFactorAuthenticatedSessionController extends Controller
{
    public function store(TwoFactorLoginRequest $request)
    {
        $user = $request->challengedUser();

        if ($code = $request->validRecoveryCode()) {
            // $user->replaceRecoveryCode($code);
        } elseif (! $request->hasValidCode()) {
            return app(FailedTwoFactorLoginResponse::class);
        }

        $this->guard->login($user, $request->remember());

        $request->session()->regenerate();

        return app(TwoFactorLoginResponse::class);
    }
}

This will override that method because of PSR-4 auto-loading. Having that line commented out will prevent the reset from occurring.