Update devise-two-factor to version 5.0.0 (#28325)

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

config/environments/development.rb

@@ -87,8 +87,7 @@ Rails.application.configure do
   # Otherwise, use letter_opener, which launches a browser window to view sent mail.
   config.action_mailer.delivery_method = ENV['HEROKU'] || ENV['VAGRANT'] || ENV['REMOTE_DEV'] ? :letter_opener_web : :letter_opener
 
-  # We provide a default secret for the development environment here.
-  # This value should not be used in production environments!
+  # TODO: Remove once devise-two-factor data migration complete
   config.x.otp_secret = ENV.fetch('OTP_SECRET', '1fc2b87989afa6351912abeebe31ffc5c476ead9bf8b3d74cbc4a302c7b69a45b40b1bbef3506ddad73e942e15ed5ca4b402bf9a66423626051104f4b5f05109')
 
   # Raise error when a before_action's only/except options reference missing actions

config/environments/production.rb

@@ -157,6 +157,7 @@ Rails.application.configure do
     'Referrer-Policy' => 'same-origin',
   }
 
+  # TODO: Remove once devise-two-factor data migration complete
   config.x.otp_secret = ENV.fetch('OTP_SECRET')
 
   # Enable DNS rebinding protection and other `Host` header attacks.

config/environments/test.rb

@@ -44,6 +44,7 @@ Rails.application.configure do
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
 
+  # TODO: Remove once devise-two-factor data migration complete
   config.x.otp_secret = '100c7faeef00caa29242f6b04156742bf76065771fd4117990c4282b8748ff3d99f8fdae97c982ab5bd2e6756a159121377cce4421f4a8ecd2d67bd7749a3fb4'
 
   # Generate random VAPID keys