It already recorded in the database when the TOTP was last used, but it allowed to reuse the same code during the grace period (30 seconds later).

Allowing authentication not only within the original time frame but one interval before and after is by design: https://en.wikipedia.org/wiki/Time-based_one-time_password#S... .

The security issue is with allowing reuse, and not because of allowing use in the previous and next time frames.

Not OP, but yes really.

Check the last login/session/whatever for that account and if it was within the period of the TOTP that was submitted, force a relog.