Update devise-two-factor to version 5.0.0 (#28325)

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

app/models/user.rb

@@ -39,6 +39,7 @@
 #  role_id                   :bigint(8)
 #  settings                  :text
 #  time_zone                 :string
+#  otp_secret                :string
 #
 
 class User < ApplicationRecord
@@ -72,6 +73,8 @@ class User < ApplicationRecord
   devise :two_factor_authenticatable,
          otp_secret_encryption_key: Rails.configuration.x.otp_secret
 
+  include LegacyOtpSecret # Must be after the above `devise` line in order to override the legacy method
+
   devise :two_factor_backupable,
          otp_number_of_backup_codes: 10
 
@@ -131,11 +134,6 @@ class User < ApplicationRecord
   normalizes :time_zone, with: ->(time_zone) { ActiveSupport::TimeZone[time_zone].nil? ? nil : time_zone }
   normalizes :chosen_languages, with: ->(chosen_languages) { chosen_languages.compact_blank.presence }
 
-  # This avoids a deprecation warning from Rails 5.1
-  # It seems possible that a future release of devise-two-factor will
-  # handle this itself, and this can be removed from our User class.
-  attribute :otp_secret
-
   has_many :session_activations, dependent: :destroy
 
   delegate :can?, to: :role