[Core] Add Support for TOTP / 2FA to LORIS (#9972)

This adds support for time based one time passwords (TOTP) to LORIS
based on RFC6238 (the standard used by authenticator apps such as Authy
or Microsoft Authenticator).

There is a new subpage of my_preferences where a user can register an
authenticator app to their account using a QR code. After validating the
code, the secret key used to generate it is saved to the users table.
After this point, any attempts to log in will check if they have a valid
2FA code by using a new MFA middleware. The middleware intercepts
requests and prompts for the code if it has not yet been provided.

Author: driusan

Makefile

@@ -135,6 +135,9 @@ locales:
 	msgfmt -o modules/module_manager/locale/ja/LC_MESSAGES/module_manager.mo modules/module_manager/locale/ja/LC_MESSAGES/module_manager.po
 	msgfmt -o modules/mri_violations/locale/ja/LC_MESSAGES/mri_violations.mo modules/mri_violations/locale/ja/LC_MESSAGES/mri_violations.po
 	msgfmt -o modules/my_preferences/locale/hi/LC_MESSAGES/my_preferences.mo modules/my_preferences/locale/hi/LC_MESSAGES/my_preferences.po
+	npx i18next-conv -l ja -s modules/my_preferences/locale/ja/LC_MESSAGES/my_preferences.po -t modules/my_preferences/locale/ja/LC_MESSAGES/my_preferences.json --compatibilityJSON v4
+	npx i18next-conv -l hi -s modules/my_preferences/locale/hi/LC_MESSAGES/my_preferences.po -t modules/my_preferences/locale/hi/LC_MESSAGES/my_preferences.json --compatibilityJSON v4
+	msgfmt -o modules/my_preferences/locale/ja/LC_MESSAGES/my_preferences.mo modules/my_preferences/locale/ja/LC_MESSAGES/my_preferences.po
 	msgfmt -o modules/next_stage/locale/ja/LC_MESSAGES/next_stage.mo modules/next_stage/locale/ja/LC_MESSAGES/next_stage.po
 	msgfmt -o modules/next_stage/locale/es/LC_MESSAGES/next_stage.mo modules/next_stage/locale/es/LC_MESSAGES/next_stage.po
 	msgfmt -o modules/oidc/locale/ja/LC_MESSAGES/oidc.mo modules/oidc/locale/ja/LC_MESSAGES/oidc.po
@@ -198,3 +201,8 @@ server_processes_manager: modules/server_processes_manager/locale/ja/LC_MESSAGES
 
 conflict_resolver:
 	target=conflict_resolver npm run compile
+
+my_preferences: modules/my_preferences/locale/ja/LC_MESSAGES/my_preferences.mo modules/my_preferences/locale/hi/LC_MESSAGES/my_preferences.mo
+	npx i18next-conv -l ja -s modules/my_preferences/locale/ja/LC_MESSAGES/my_preferences.po -t modules/my_preferences/locale/ja/LC_MESSAGES/my_preferences.json --compatibilityJSON v4
+	npx i18next-conv -l hi -s modules/my_preferences/locale/hi/LC_MESSAGES/my_preferences.po -t modules/my_preferences/locale/hi/LC_MESSAGES/my_preferences.json --compatibilityJSON v4
+	target=my_preferences npm run compile

SQL/0000-00-00-schema.sql

@@ -105,6 +105,7 @@ CREATE TABLE `users` (
   `Active` enum('Y','N') NOT NULL default 'Y',
   `Password_hash` varchar(255) default NULL,
   `PasswordChangeRequired` tinyint(1) NOT NULL default 0,
+  `TOTPSecret` binary(64) DEFAULT NULL,
   `Pending_approval` enum('Y','N') default 'Y',
   `Doc_Repo_Notifications` enum('Y','N') default 'N',
   `language_preference` integer unsigned default NULL,

SQL/New_patches/2025-08-21-add_totp_support.sql

@@ -0,0 +1 @@
+ALTER TABLE users ADD COLUMN TOTPSecret binary(64) DEFAULT NULL AFTER PasswordChangeRequired;

composer.json

@@ -15,7 +15,9 @@
         "laminas/laminas-diactoros" : "^3.5",
         "ext-json": "*",
         "bjeavons/zxcvbn-php": "^1.0",
-        "aws/aws-sdk-php": "^3.209"
+        "aws/aws-sdk-php": "^3.209",
+        "selective/base32": "^2.0",
+        "chillerlan/php-qrcode": "^5.0"
     },
     "require-dev" : {
         "squizlabs/php_codesniffer" : "^3.5",