Display count of remaining recovery codes

app/controllers/user/sessions_controller.rb

@@ -21,6 +21,7 @@ class User::SessionsController < Devise::SessionsController
         if params[:user][:otp_attempt].length == 8
           found = TotpRecoveryCode.where(user_id: resource.id, code: params[:user][:otp_attempt].downcase).delete_all
           if found == 1
+            flash[:info] = "You have #{TotpRecoveryCode.where(user_id: resource.id).count} recovery codes remaining."
             continue_sign_in(resource, resource_name)
           else
             flash[:error] = t('views.auth.2fa.errors.invalid_code')

app/controllers/user_controller.rb

@@ -182,6 +182,8 @@ class UserController < ApplicationController
       qr_code = RQRCode::QRCode.new(current_user.provisioning_uri("Retrospring:#{current_user.screen_name}", issuer: "Retrospring"))
 
       @qr_svg = qr_code.as_svg({offset: 4, module_size: 4, color: '000;fill:var(--primary)'}).html_safe
+    else
+      @recovery_code_count = TotpRecoveryCode.where(user_id: current_user.id).count
     end
   end
 

app/views/settings/security/_totp_enabled.haml

@@ -1,3 +1,5 @@
-%p Your account is set up to require the use of a one-time password in order to log in
+%p Your account is set up to require the use of a one-time password in order to log in.
+%p You currently have #{@recovery_code_count} unused recovery codes.
 = link_to t('views.actions.remove'), destroy_user_2fa_path, class: 'btn btn-primary', method: 'delete',
           data: { confirm: t('views.settings.security.2fa.detach_confirm') }
+D

config/locales/en.yml

@@ -265,6 +265,7 @@ en:
       done: "Done"
       y: "Yes"
       n: "No"
+      remove: "Remove"
     sessions:
       destroy: "Logout"
       create: "Sign in"