Remove usage of alreadyAcceptedCode()/storeAccepedCode() in the TOTP,HOTP, Recovery Code plugins.

Remove usage of alreadyAcceptedCode()/storeAccepedCode() in the TOTP,HOTP, Recovery Code plugins.

Problem/Motivation

TOTP, and HOTP plugins are able to validate a token based on an increasing counter
The Recovery Code plugin removes accepted codes from its configuration once accepted.

Not all configured TOTP tokens will have yet reached this configuration state as it was just added to 8.x-1.3. While initial thoughts would be that we could make an assumption that the users last login time is the latest code used we can’t actually guarantee that as the service_tfa pl ugin may have consumed tokens without updating the user login time. What we can assume is that now() + timeSkew have been used. We could use a mass update hook to use this upper bound.

Site owners would be encouraged to run >=8.x-1.3 for some time with their user base to allow as many accounts as possible to obtain the timeSlice, however if sites use a short time skew (such as the default of 2 which is ~1minute in the future) they may determine on their own that the blackout window is small enough to not be of concern.

Steps to reproduce

N/A

Proposed resolution

Remove usage of alreadyAcceptedCode()/storeAccepedCode() but leave the methods in the base plugin.

Remaining tasks

Patch

User interface changes

None

API changes

None

Data model changes

Internal only.