Merge commit 'b7902225d698a107df2cf8b4ca221caad38fa464' into glitch-soc/merge-upstream

Conflicts:
- `spec/validators/status_length_validator_spec.rb`:
  Upstream refactored tests to stub `StatusLengthValidator::MAX_CHARS`
  while glitch-soc had custom code to read from `MAX_TOOT_CHARS`.
  Switched to using upstream's implementation of the tests.

app/models/user.rb

@@ -39,6 +39,7 @@
 #  role_id                   :bigint(8)
 #  settings                  :text
 #  time_zone                 :string
+#  otp_secret                :string
 #
 
 class User < ApplicationRecord
@@ -72,6 +73,8 @@ class User < ApplicationRecord
   devise :two_factor_authenticatable,
          otp_secret_encryption_key: Rails.configuration.x.otp_secret
 
+  include LegacyOtpSecret # Must be after the above `devise` line in order to override the legacy method
+
   devise :two_factor_backupable,
          otp_number_of_backup_codes: 10
 
@@ -131,11 +134,6 @@ class User < ApplicationRecord
   normalizes :time_zone, with: ->(time_zone) { ActiveSupport::TimeZone[time_zone].nil? ? nil : time_zone }
   normalizes :chosen_languages, with: ->(chosen_languages) { chosen_languages.compact_blank.presence }
 
-  # This avoids a deprecation warning from Rails 5.1
-  # It seems possible that a future release of devise-two-factor will
-  # handle this itself, and this can be removed from our User class.
-  attribute :otp_secret
-
   has_many :session_activations, dependent: :destroy
 
   delegate :can?, to: :role