Block sending loop commands with same TOTP code

[codebymini]

Block Sending Loop Commands with Same TOTP Code

Overview

This commit implements a security enhancement to prevent the reuse of Time-based One-Time Password (TOTP) codes when sending Loop commands via APNS (Apple Push Notification Service). The change ensures that each TOTP code can only be used once within its 30-second validity period.

Key Changes

1. New Storage Properties (Storage.swift)
   Added loopAPNSTOTPUsed: Boolean flag to track if a TOTP code has been used
   Added loopAPNSTOTPLastUsed: Timestamp tracking when the TOTP was last used
2. Enhanced TOTP Validation Logic
   Bolus View (LoopAPNSBolusView.swift): Added isTOTPBlocked computed property
   Carbs View (LoopAPNSCarbsView.swift): Added identical isTOTPBlocked computed property
   Both views now check TOTP usage status before allowing command submission
3. UI Enhancements
   Warning Display: Added visual warning section when TOTP is blocked, showing:
   Orange warning icon with "TOTP Code Already Used" message
   Explanatory text about waiting for the next code
   Button State Management: Send buttons are disabled when TOTP is blocked
4. Automatic TOTP Reset Logic
   Timer-based Reset: Automatically resets TOTP usage flag when a new 30-second period begins
   Safety Checks: Multiple validation points ensure TOTP blocking is properly managed:
   When moving to a new TOTP period
   At the start of each new period (≥29 seconds remaining)
   Fallback check for 30+ seconds elapsed since last use
5. Command Success Tracking
   TOTP usage is marked with timestamp when commands are successfully sent
   Prevents immediate reuse of the same TOTP code

[marionbarker]

Test

Using LoopFollow dev build

• send remote carb request when 28 sec is shown on the OTP line
• send a second remote carb request at 9 sec on the same OTP
• observe "Error: Password already used" (visible at NS and LoopFollow)

Build using code from the PR and repeat test

• send remote carb request when 28 sec is shown on the OTP line
• observe
  • the Warning: TOTP Code Already Used message replaces the OTP line section
  • when the successful command message is acknowledged, user is returned to remote screen
  • returned to Carb remote screen and see warning is still there
  • Current OTP code replaces the warning once a new OTP is available
• send new remote carb as soon as OTP code appears - success

Repeat successful test of "Code already used" blocking for remote bolus.

Confirm there is not blocking for remote Overrides (which do not require OTP).