Deprecate DeleteMFADevice and move tests to its "sync" variant (#32773)

* Deprecate DeleteMFADevice and its top-level messages

* Update generated protos

* Deprecate api/client.Client.DeleteMFADevice

* Deprecate lib/auth.IdentityService.DeleteMFADevice

* Deprecate lib/auth.GRPCServer.DeleteMFADevice

* Combine "last device" tests

* TestMFADeviceManagement renames (no functional changes)

* Use DeleteDeviceMFASync on TestMFADeviceManagement

* Add a test for DeleteMFADevice

* Add deprecation nolints

api/client/client.go

@@ -1598,6 +1598,7 @@ func (c *Client) AddMFADevice(ctx context.Context) (proto.AuthService_AddMFADevi
 	return stream, nil
 }
 
+// Deprecated: Use DeleteMFADeviceSync instead.
 func (c *Client) DeleteMFADevice(ctx context.Context) (proto.AuthService_DeleteMFADeviceClient, error) {
 	stream, err := c.grpc.DeleteMFADevice(ctx)
 	if err != nil {

api/proto/teleport/legacy/client/proto/authservice.proto

@@ -1174,6 +1174,8 @@ message AddMFADeviceResponseAck {
 
 // DeleteMFADeviceRequest is a message sent by the client during
 // DeleteMFADevice RPC.
+//
+// Deprecated: Use [AuthService.DeleteMFADeviceSync] instead.
 message DeleteMFADeviceRequest {
   oneof Request {
     // Init describes the device to be deleted.
@@ -1183,6 +1185,7 @@ message DeleteMFADeviceRequest {
   }
 }
 
+// Deprecated: Use [AuthService.DeleteMFADeviceSync] instead.
 message DeleteMFADeviceResponse {
   oneof Response {
     // MFAChallenge is an auth challenge using any existing MFA device.
@@ -1193,6 +1196,8 @@ message DeleteMFADeviceResponse {
 }
 
 // DeleteMFADeviceRequestInit describes the device to be deleted.
+//
+// Deprecated: Use [AuthService.DeleteMFADeviceSync] instead.
 message DeleteMFADeviceRequestInit {
   // DeviceName is an MFA device name or ID to be deleted.
   string DeviceName = 1;
@@ -2644,7 +2649,11 @@ service AuthService {
   // <- MFAChallenge
   // -> MFAResponse
   // <- Ack
-  rpc DeleteMFADevice(stream DeleteMFADeviceRequest) returns (stream DeleteMFADeviceResponse);
+  //
+  // Deprecated: Use [DeleteMFADeviceSync] instead.
+  rpc DeleteMFADevice(stream DeleteMFADeviceRequest) returns (stream DeleteMFADeviceResponse) {
+    option deprecated = true;
+  }
   // AddMFADeviceSync adds a new MFA device.
   //
   // A typical MFA registration sequence calls the following RPCs:
@@ -2655,6 +2664,14 @@ service AuthService {
   // 4. AddMFADeviceSync
   rpc AddMFADeviceSync(AddMFADeviceSyncRequest) returns (AddMFADeviceSyncResponse);
   // DeleteMFADeviceSync deletes a users MFA device (nonstream).
+  //
+  // A typical MFA deletion sequence calls the following RPCs:
+  //
+  // 1. (optional) CreateAuthenticateChallenge
+  //    (may be skipped depending on the token used, but is usually called
+  //    regardless)
+  // 2. (optional) CreatePrivilegeToken
+  // 3. DeleteMFADeviceSync (using either authn challenge or token)
   rpc DeleteMFADeviceSync(DeleteMFADeviceSyncRequest) returns (google.protobuf.Empty);
   // GetMFADevices returns all MFA devices registered for the user calling
   // this RPC.

lib/auth/accountrecovery_test.go

@@ -1393,11 +1393,22 @@ func createUserWithSecondFactors(testServer *TestTLSServer) (*userAuthCreds, err
 		return nil, trace.Wrap(err)
 	}
 
-	// Register a TOTP device.
 	userClient, err := testServer.NewClient(TestUser(username))
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+
+	// Fetch the MFA device created above.
+	devicesResp, err := userClient.GetMFADevices(ctx, &proto.GetMFADevicesRequest{})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	if len(devicesResp.Devices) != 1 {
+		return nil, fmt.Errorf("found an unexpected number of MFA devices: %v", devicesResp.Devices)
+	}
+	webDev.MFA = devicesResp.Devices[0]
+
+	// Register a TOTP device.
 	totpDev, err := RegisterTestDevice(
 		ctx,
 		userClient,