Within the timeframe a TOTP is valid, it can be used for login multiple times. Although replaying the login with the same (wire-tapped) parameters is quite difficult, it's not entirely impossible. Therefore, an (T)OTP code once used for successful login needs to be logged and blacklisted for the according user account to prevent from repeated authentication with the same code.
This will likely be part of the Storage component to maintain a list of used codes and the Driver to verify each submitted code against that list.