Add two factor callback

[MaybeNetwork]

This feature allows script authorizations to supply an optional 'otp' parameter when authenticating. This is accomplished by adding a callback named two_factor_callback to the method ScriptAuthorizer.refresh. See 97 and praw's 1496 for previous discussions of this.

---

I have added some support for running other tests with 2fa enabled. There is now a test_two_factor_callback function in conftest, which is used in script auth tests to generate an OTP. By default, it returns None, which allows all tests to pass. This PR also adds two tests that show what successful and unsuccessful authorization attempts look like. I have included a third test in test_authorizer, test_refresh_with__2fa, that is commented out and does not have a corresponding cassette. If you change test_two_factor_callback to something that will generate your real otp code, you can use this test to produce the same output as test_refresh_with__valid_otp. You don't need to install a separate library to run the test if you have already have a 2fa authenticator device, program, or app. Just change the definition of test_two_factor_callback from return None to return input("OTP: "), run the test with pytest -s, and enter the code when prompted.

There are some issues with running tests with 2fa enabled. The uri for the initial authorization in all previous tests run with a password flow looks like

"grant_type=password&password=<PASSWORD>&username=<USERNAME>"

but if you use 2fa, this changes to

"grant_type=password&otp=123456&password=<PASSWORD>&username=<USERNAME>"`

This means that all tests which match uris will fail if you change the test_two_factor_callback to anything other than something that returns None. This could be dealt with by adding before_record and before_playback callbacks to the Betamax config, but I don't think it is worth doing that right now. Also, the rate limit for the password flow doesn't really allow you to record multiple tests at once. If you try, you will get the same {'error': 'invalid_grant'} message if you're still in timeout that you get when you supply the wrong credentials. The other flows aren't affected.

Other notes: if you don't have 2fa on your account, you can authorize with the otp parameter present as long as it is set to the empty string. If you make it anything other than the empty string, you'll get an invalid grant.

[bboe]

A few minor comments, otherwise this PR looks great.

[bboe]

Since this isn't a test case can we remove the test_ prefix please?

[bboe]

I don't think this example is necessary. If you want to add some information in the documentation about running tests with 2FA that'd be great, but not necessary for this PR.

[MaybeNetwork]

Ok. I included it just in case you wanted to verify that the feature works, since the other tests don't really prove it.

[bboe]

Thanks!