Users can enable TOTP with a recovery code
When a user is setting up TOTP, if they already have recovery codes (i.e. they have U2F enabled and enabled recovery codes), they can provide a recovery code rather than a TOTP code generated from the TOTP seed.
I should prevent this from happening. I have created a method in RegistrationsController,
valid_otp_attempt_no_recovery?, which I can use to validate TOTP (no recovery codes), so I can probably insert some logic into the existing manage TOTP method, but I may be better off splitting add and delete into separate methods, especially since it would allow me to have a separate URL for enabling TOTP and disabling TOTP via TOTP/recovery code (U2F has [key]/delete/u2f and [key]/delete/totp, while TOTP just has /totp (enable, disable via TOTP/recovery code) and /totp/u2f (disable TOTP via U2F)).