This will allows the user to call the correct redis database based upon
a string name in a dict, and not a variable perse. The definition of the
databases is easier this way, and the call of the correct database is
clearer in code.

This will renew the save of the TOTP server side for the username/IP tuple.

This will not change the behavior of the verify() function but is easier
to read.

This commit will add a time waste function if the username is not
present in the database. This is done to prevent the data extraction, in
this case the presence or not, of a username based upon the execution
time for the login process.

In the configuration file, the 'fake_hash' variable is computed with the
input data "fake_data" and the salt "fake_salt" to be transparent about
the data used as input for the hashing function.

The comparison with the 'verify()' function is a boolean (always True in
this case), and is not used in any useful way in the login process.

This waste of time is done even if the risk factor is very small (not to
say inexistent).

The location of this function call is designed to be only present if the
username provided as input does not exists in the database. This is done
to not impact real users.

This will trigger a rate limitation when the username does not exists or
if the password is not the correct one. The time to wait is exponential
(base 2) after the 5 first attempts.

This is done by splitting the original function in an inner function
that manage the creation of the image in a PIL format. This inner
function is decorated with the redis cache function.

Because of a bug in the PIL library, we can not unPickle a tiff image.
The workaround is to use the following code:

    if isinstance( img, TiffImageFile ):
        if not hasattr( img, "use_load_libtiff" ):
            img.use_load_libtiff = True

Source: https://github.com/python-pillow/Pillow/pull/4565/files

This being patched in the current versions of PIL, we should be use this
monkey-patch for new version of Python.

Since the variable is global anyway, we don't need to pass it as
parameter.

The fetch of the data don't need to be done in an ajax query once the
page is loaded. This will directly populate the "secret" javascript
variable and the 'input' field.

The remaining time and the current TOTP are not useful in the current
workflow.

This is the same order as for the other pages (help on the left, next on
the right).

This will only use one div to the errors and OK messages. The
notification for the use is done via a function call instead of editing
the corresponding divs.

This will not display a message to the user if the TOTP is correctly
set, but will redirect him to the next step automatically.

The user is now obligated to provide the TOTP value to continue. If not
provided, the user can still re-open the current page to get help or
retry the configuration process. This should remove the miss configured
account by not reading the configuration dialog (the user has to provide
at least once the TOTP to be able to finish the configuration; if the
TOTP value is set in the database, the configuration has been done at
least once).