fix(auth): offset TOTP delta histogram to avoid negative StatsD values

Because:
* Telegraf's statsd input plugin only accepts non-negative values for
  histograms
* The delta from otplib's checkDelta can be negative (e.g. -1 when the
  user enters a code from the previous time window)
* The previous guard `if (type && delta)` skipped recording when
  delta === 0, silently dropping the most common exact-match case

This commit:
* Offsets delta by the configured window size so values are always
  non-negative (with window=1: -1→0, 0→1, 1→2)
* Fixes the falsy check to use `delta !== undefined && delta !== null`
  so delta=0 is recorded
* Guards against undefined otpOptions with optional chaining

Fixes #13356

Author: vbudhram

packages/fxa-auth-server/lib/routes/utils/otp.ts

@@ -56,8 +56,12 @@ export class OtpUtils {
     const valid = otpAuthenticator.check(code, secret);
     const delta = otpAuthenticator.checkDelta(code, secret);
 
-    if (type && delta) {
-      this.statsd.histogram(`${type}.totp.delta_histogram`, delta);
+    if (type && delta !== undefined && delta !== null) {
+      // Offset delta by window so the value is always non-negative.
+      // With window=1: delta -1 → 0, delta 0 → 1, delta 1 → 2.
+      // Telegraf's statsd plugin only accepts non-negative histogram values.
+      const window = otpOptions?.window ?? 1;
+      this.statsd.histogram(`${type}.totp.delta_histogram`, delta + window);
     }
     // Return delta for logging
     return { valid, delta };