two-factor.disable not deleting the two_factor_confirmed_at #588
Description
Fortify Version
1.25.1
Laravel Version
11.37
PHP Version
8.3
Database Driver & Version
No response
Description
I am successfully using Fortify to activate 2FA with Free OTP in a laravel/Inertia/Fortify/Vue Setup, but when I deactivate it the confirmed_at field is not nulled. Is that by design? or a problem with my usecase-understanding?
Please excuse me in advance if I it's an issue with my usecase or an outdated version.
By successfuly I mean I made a vue component which via a slider button activates and deactivates 2FA
If it gets activated, QR, recovery codes and confirmation field is shown, and if code is entered, the correspondig post is called and two_factor_confirmed_at is set.
If it gets deactivated, secret and recovery-codes get deleted but NOT the two_factor_confirmed_at field.
As the confirm is a separate post call, I thought perhaps there is a separate call to unconfirm, but I only see one delete route,
Route::delete(RoutePath::for('two-factor.disable', '/user/two-factor-authentication'), [TwoFactorAuthenticationController::class, 'destroy'])
->middleware($twoFactorMiddleware)
->name('two-factor.disable');
So my issue is: why is the two_factor_confirmed_at field not nulled when 2FA is disabled?
Steps To Reproduce
Setup 2FA with a separate POST request to the /user/confirmed-two-factor-authentication endpoint
and then
axios.delete('/user/two-factor-authentication')
Expected would be that all 3 fields
two_factor_secret
two_factor_recovery_codes
two_factor_confirmed_at
would get nulled,
but only first two are nulled.