Permission obtained from @DDynamic. Contributions from other users were
removed since we did not obtain permission from them for the re-license.
From this point forward all contributors must have a signed Contributor
License Agreement on file.
Cleaned up the code a bit, also checks TOTP before attemping to verify
user.
This addresses the potential for an attacker to try at a password
and/or confirm that the password is correct unless they have a valid
TOTP code for the request. A failed TOTP response will trigger a
throttle count on the login as well.
