Google Authenticator formats 2FA codes as 000 000 which leads some users to enter 2FA codes with a space as well in which case their login will be rejected.
In my opinion it's reasonable to expect 2FA codes to get stripped of whitespaces.
I've tried both Twitter and GitHub which enforce input validation to provide a proper formatted 2FA code (without spaces). This should therefor be enforced in userland, not in Fortify.
Google Authenticator formats 2FA codes as
000 000
which leads some users to enter 2FA codes with a space as well in which case their login will be rejected. In my opinion it's reasonable to expect 2FA codes to get stripped of whitespaces.I have implemented this in my app by changing https://github.com/laravel/fortify/blob/2ca0c06bf7385d26730cfc3783865a9c06a51f63/src/Http/Requests/TwoFactorLoginRequest.php#L55-L60 to