Strip spaces before validating OTP for MFA

Fixes FOO-3621
flag=none

Test plan:
  Submit a OTP with space(s) in the middle and it should validate.

Change-Id: Ib7df567cea9a7da0cd58b2a217a9df029736753a
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/323036
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jason Perry <jason.perry@instructure.com>
Product-Review: Jason Perry <jason.perry@instructure.com>

app/controllers/login/otp_controller.rb

@@ -78,7 +78,7 @@ class Login::OtpController < ApplicationController
     # of a maxed out bucket.
     increment_request_cost(150)
 
-    verification_code = params[:otp_login][:verification_code]
+    verification_code = params[:otp_login][:verification_code].delete(" ")
     if Canvas.redis_enabled?
       key = "otp_used:#{@current_user.global_id}:#{verification_code}"
       if Canvas.redis.get(key)

spec/controllers/login/otp_controller_spec.rb

@@ -175,6 +175,15 @@ describe Login::OtpController do
         expect(request.env.fetch("extra-request-cost").to_f >= 150).to be_truthy
       end
 
+      it "verifies a code entered with spaces" do
+        code = ROTP::TOTP.new(@user.otp_secret_key).now
+        post :create, params: { otp_login: { verification_code: "#{code[0..2]} #{code[3..]}" } }
+        expect(response).to redirect_to dashboard_url(login_success: 1)
+        expect(cookies["canvas_otp_remember_me"]).to be_nil
+        expect(Canvas.redis.get("otp_used:#{@user.global_id}:#{code}")).to eq "1" if Canvas.redis_enabled?
+        expect(request.env.fetch("extra-request-cost").to_f >= 150).to be_truthy
+      end
+
       it "verifies a backup code" do
         code = @user.one_time_passwords.create!.code
         post :create, params: { otp_login: { verification_code: code } }