- Don't allow code re-use, successfully used codes will be invalid on repeated use for the window time
- Don't attach the full twofactor secret to user object in session for security. Only store a boolean if it's enabled for rendering, checks, etc. The full account should be fetched first before doTwoFactor()
- Better names for some keys of twofactor redis stuff
got the changes to itself done to return the middleware function,
and for most routes i updated them
still TODO the more complex routes, and change them to the refactored schema checking