First, the scam would be randomly asking for the code or not. Cause it can't know whether the user has 2FA activated or not. So that is one way of noticing that its a scam. 2nd the code only works for 30 seconds or so.
I don't know if there's some way of login in through google api's as soon as the user enters the user and password. Also im almost sure that google requires you to enter the code via a form that is provided by them (as a google url). So im thinking something like loggin in to google using server side code and somehow using the code that the user provides to enter into google form (that will be displayed on the server side).
Im still not sure if there's any way of doing this using code. If there's no way of doing it using code then the attacker should be fast enough to use your logins and token in less than 30 seconds (or even less when the code is entered later). So it reduces the chances to get attacked a lot.
A sophisticated attack can completely imitate 2FA.
The first bit: It starts by asking for a username+pass and it uses javascript to async-post it. The evil server then tries to login to google. If google returns that a 2FA is needed it prompts for it.
I have no clue what you mean by "through google's api"... An attacker does not have to follow an api. Anything the user can do with their browser, the attacker an imitate on a remote server. Absolutely anything except source ip.
Your entire "no way of doing this using code" makes no sense at all. Posting data is something that can easily be done programmatically. Posting data through a middleman is similarly easy.
The only way that 2FA helps (edit: as alcari points out, this doesn't help much) is that the attacker can't change your password because on initiating that, I believe google asks for another 2FA code, and I don't think the attacker could reasonably expect to get you to enter two 2FA in a row.
It also does make it harder for the attacker to code it up, but it's not even that much harder.
Seven plus years ago I was investigating phishing scams that were, in real time, taking the username and password, trying it against the real server, and then prompting the user accordingly (in that case, kicking them back if they entered the wrong password). It's not that big of a leap to do the same thing to see if they have 2FA enabled.
I don't know if there's some way of login in through google api's as soon as the user enters the user and password. Also im almost sure that google requires you to enter the code via a form that is provided by them (as a google url). So im thinking something like loggin in to google using server side code and somehow using the code that the user provides to enter into google form (that will be displayed on the server side).
Im still not sure if there's any way of doing this using code. If there's no way of doing it using code then the attacker should be fast enough to use your logins and token in less than 30 seconds (or even less when the code is entered later). So it reduces the chances to get attacked a lot.