Disallow last verified code

[vilda]

Code once verified must not be accepted again as per RFC 6238. While not absolutely critical, this helps is cases where the code (and password) were observed by third party "over shoulder".

[Bouke]

The specification is the following:

Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP.

[MarkusH]

As with #98 I think that's a general enhancement django_otp should implement by rejecting a successfully proven token as invalid.

[marcinszachun-identt]

Hi,

There is a logic in django_otp.models.TOTPDevice that performs just that - it does not allow to use previously correctly validated tokens.

This is based on storing last_t value in database - this is value of last verified token time stamp: https://github.com/django-otp/django-otp/blob/master/src/django_otp/plugins/otp_totp/models.py#L128

Then when validating token, all t values that are less then last_t are skipped: https://github.com/django-otp/django-otp/blob/master/src/django_otp/oath.py#L193

What do You think about porting this logic to PhoneDevice and other devices provided by this library, or even make more close to TOTPDevice, maybe consider inheriting from it?

I would be interested to help with this ticket if You think this is good direction, or if You could point me how this can fixed some other way.