feat(auth): add Google Authenticator 2FA flows and setup options

[VMASPAD]

This PR adds full TOTP-based two-factor authentication (2FA) support across backend auth, setup flows, and admin UI, including Google Authenticator-compatible onboarding.

What Changed

• Added core TOTP implementation:
  • Secret generation
  • otpauth URI generation
  • Time-window verification
  • User 2FA state helpers (pending/enabled/disabled)
• Added auth API endpoints for 2FA lifecycle:
  • status
  • setup
  • enable
  • disable
  • pending challenge
  • verify
• Integrated 2FA checks into passkey, magic-link, and OAuth login flows.
• Added setup endpoints for first-admin 2FA/email onboarding.
• Updated setup status API to expose email provider availability.
• Updated route injection and auth middleware typing for pending second-factor sessions.
• Updated Admin UI:
  • Setup wizard with explicit sign-in method choices
  • QR-based authenticator setup
  • Login second-factor step
  • Security settings to manage 2FA
• Included lockfile/package updates required for new UI/auth dependencies.

Security Notes

• Login is finalized only after successful TOTP verification when 2FA is enabled.
• Pending second-factor challenges are short-lived and session-bound.
• Magic-link flow was adjusted so full user session is created only after 2FA gate is satisfied.

Validation

• Quick lint passed.
• Full lint diagnostics passed.
• Typecheck passed across workspace packages.

Scope

This PR is focused on authentication and onboarding security behavior (Google Authenticator-style 2FA and related setup/login UX).

[github-actions]

Overlapping PRs

This PR modifies files that are also changed by other open PRs:

• feat(admin): add Lingui i18n infrastructure #234 (4 shared files)
• fix: repair invite flow — URL prefix + registration UI #81 (5 shared files)

This may cause merge conflicts or duplicated work. A maintainer will coordinate.

[ascorbic]

I'm not sure of the value of this. Currently the only supported login method is passkey. Requiring TOTP alongside passkey isn't something that seems useful.

[pkg-pr-new]

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@73

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@73

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@73

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@73

emdash

npm i https://pkg.pr.new/emdash@73

create-emdash

npm i https://pkg.pr.new/create-emdash@73

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@73

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@73

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@73

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@73

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@73

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@73

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@73

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@73

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@73

commit: 3526bc4