feat(auth): implement TOTP-based two-factor authentication

[A6dulmalik]

Features:

• POST /auth/2fa/setup - Generate TOTP secret and QR code URI
• POST /auth/2fa/verify - Verify setup code and enable 2FA
• POST /auth/2fa/challenge - Exchange mfa_pending token for full JWT
• POST /auth/2fa/disable - Disable 2FA with password confirmation
• GET /auth/2fa/status - Check 2FA status
• POST /auth/2fa/backup-codes/regenerate - Regenerate backup codes

Security:

• TOTP secrets stored securely (select: false by default)
• Backup codes hashed with bcrypt before storage
• Single-use backup codes invalidated after use
• Short-lived mfa_pending JWT (5min) for 2FA challenge flow
• Login blocked until 2FA verification completed
• Password confirmation required to disable 2FA

Implementation:

• Add otplib for TOTP generation and verification
• Add qrcode for QR code generation
• Update User entity with twoFactorSecret and isTwoFactorEnabled
• Create TwoFactorBackupCode entity with user relationship
• Add MfaPendingAuthGuard for validating pending tokens
• Modify login flow to issue mfa_pending token when 2FA enabled
• Add database migration for 2FA columns and backup_codes table

Testing:

• Add comprehensive test coverage for all 2FA flows
• Test setup, verification, challenge, and disable flows
• Test backup code generation and single-use invalidation

Fixes otplib v12 API compatibility issues

BREAKING CHANGE: Login response now returns mfa_pending_token instead of
access_token when user has 2FA enabled. Clients must call POST /auth/2fa/challenge
with valid TOTP code to obtain full JWT tokens.

Closes #212

[drips-wave]

@A6dulmalik Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits