[feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA)

* use byteutil.S2B to avoid allocations when comparing + generating password hashes

* don't bother with string conversion  for consts

* use io.ReadFull

* use MustGenerateSecret for backup codes

* rename util functions

internal/api/client/user/user.go

@@ -25,12 +25,14 @@ import (
 )
 
 const (
-	// BasePath is the base URI path for this module, minus the 'api' prefix
-	BasePath = "/v1/user"
-	// PasswordChangePath is the path for POSTing a password change request.
-	PasswordChangePath = BasePath + "/password_change"
-	// EmailChangePath is the path for POSTing an email address change request.
-	EmailChangePath = BasePath + "/email_change"
+	BasePath               = "/v1/user"
+	PasswordChangePath     = BasePath + "/password_change"
+	EmailChangePath        = BasePath + "/email_change"
+	TwoFactorPath          = BasePath + "/2fa"
+	TwoFactorQRCodePngPath = TwoFactorPath + "/qr.png"
+	TwoFactorQRCodeURIPath = TwoFactorPath + "/qruri"
+	TwoFactorEnablePath    = TwoFactorPath + "/enable"
+	TwoFactorDisablePath   = TwoFactorPath + "/disable"
 )
 
 type Module struct {
@@ -47,4 +49,8 @@ func (m *Module) Route(attachHandler func(method string, path string, f ...gin.H
 	attachHandler(http.MethodGet, BasePath, m.UserGETHandler)
 	attachHandler(http.MethodPost, PasswordChangePath, m.PasswordChangePOSTHandler)
 	attachHandler(http.MethodPost, EmailChangePath, m.EmailChangePOSTHandler)
+	attachHandler(http.MethodGet, TwoFactorQRCodePngPath, m.TwoFactorQRCodePngGETHandler)
+	attachHandler(http.MethodGet, TwoFactorQRCodeURIPath, m.TwoFactorQRCodeURIGETHandler)
+	attachHandler(http.MethodPost, TwoFactorEnablePath, m.TwoFactorEnablePOSTHandler)
+	attachHandler(http.MethodPost, TwoFactorDisablePath, m.TwoFactorDisablePOSTHandler)
 }