Update a bunch of middleware, pages and libs to destructure i18n funcs if used more than once to not repeat res.locals
ref #396 (going to try and remember this from now on)
- Don't allow code re-use, successfully used codes will be invalid on repeated use for the window time
- Don't attach the full twofactor secret to user object in session for security. Only store a boolean if it's enabled for rendering, checks, etc. The full account should be fetched first before doTwoFactor()
- Better names for some keys of twofactor redis stuff
Add warning to twofactor.html that other sessions will be logged out and they have to log in again
Change cache-control header to no-cache, even though private is secure (prevent showing cached page without outdated secret)