Allow TOTP to be reused (within its lifetime)

[kontaxis]

When FLATNOTES_AUTH_TYPE is totp the user cannot log in, log out, and log back in within 30 seconds.
This change address the issue.

How to reproduce the issue:

1. Confirm that FLATNOTES_AUTH_TYPE is totp, FLATNOTES_USERNAME and FLATNOTES_PASSWORD are defined.
2. Log into Flatnotes and note the current 2FA code. (In your 2FA application)
3. Immediately log out and try to log back in.
4. Observe that the 2FA code hasn't changed. If it has, go to step (2).
5. Observe that login fails with an error message indicating incorrect credentials.

Expected results:
At step 5 login is successful given the correct username, password, and the current 2FA code.

Actual results:
Log in fails.

Discussion:
Flatnotes keeps track of the current 2FA code and does not allow it to be reused.
However the user can't get a new code on demand and pyotp rotates codes every 30 seconds.
So if the user logs in, logs out, and tries to log in again before a new 2FA code is available they'll get a confusing "incorrect login credentials" message and no recourse.
Given the pyotp behavior I'm not sure what's the purpose of the current Flatnotes logic.

This change allows 2FA codes to be reused as long as they match totp.now()

[dullage]

Thanks for the PR @kontaxis. However, preventing the re-use of a TOTP token is intentional as it's a fairly standard security recommendation (to prevent replay attacks and the like).

[kontaxis]

Given how pyotp generates tokens, a 2FA code cannot be reused after 30 seconds. (worst case)
Doesn't this sufficiently mitigate the replay attack concern?
We could reduce the TOTP interval further, e.g., to 15 seconds.

Right now the issue is that the user will fail to log in despite having the correct password and 2FA code. This is unexpected.

If we feel strongly about the current added restriction, perhaps the error message should hint that the user needs to try "later" when TOTP is enabled.