Preparation for the TOTP sign-in action.

Verifies the TOTP code against the user's secret and generates a token on successful authentication.

Replay Attack Protection

TOTP codes can only be used once. After a successful authentication, the last_totp_at field is updated to the code's timestamp to prevent replay attacks. This update is performed atomically with a filter condition to prevent race conditions where concurrent requests could both use the same code.