Possibility to circumvent the OTP step #1
Description
Hi there and thank you for this tutorial. It did help me to get the first steps in for adding OTP to my application.
I do however think that there's a security flaw in your logic implemented here.
This is the step in your code where you perform the user login:
Notice how the OTP verification step comes after this, redirecting the browser to VERIFY_2FA_URL (or SETUP_2FA_URL respectively). When it comes to flask's logic, you have fully performed the login for the user prior to this check. This means that any viewer can now freely surf away to any @login_required page in a flask application and does not need to go through the 2fa verification step. All they need to know is the direct URL of any page that requires one to be logged in.
This is, unfortunately, an unsafe implementation of 2fa.
Here is a stack overflow question on this very same problem:
https://stackoverflow.com/questions/62605770/securely-implementing-two-factor-authentication-in-flask
It suggests that you store the username of the person trying to login in the flask session and perform the login after you have verified the OTP.