feat(auth): implement TOTP two-factor authentication with enrollment and verification

Adds TOTP (Time-based One-Time Password) two-factor authentication support including:
- New TOTP service with secret generation, QR code provisioning, and code verification
- New auth endpoints for enrollment, verification, status, and backup code management
- New TOTP authentication method type and user methods for TOTP management
- Backup codes generation and verification for account recovery
- Updated OIDC endpoints with timezone-aware datetime handling and RFC-compliant responses
- Added "roles" scope support for OIDC userinfo and ID tokens
- New pyotp dependency for TOTP operations
- Comprehensive unit tests for TOTP service

app/middleware/cors.py

@@ -26,6 +26,7 @@ def setup_cors(app):
                 response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, PATCH, DELETE, OPTIONS"
                 response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Request-ID"
                 response.headers["Access-Control-Max-Age"] = "3600"
+                response.headers["Cache-Control"] = "no-cache, no-store"
                 return response
             elif origin and origin in cors_origins:
                 response = make_response("", 204)
@@ -34,6 +35,7 @@ def setup_cors(app):
                 response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Request-ID"
                 response.headers["Access-Control-Allow-Credentials"] = "true"
                 response.headers["Access-Control-Max-Age"] = "3600"
+                response.headers["Cache-Control"] = "no-cache, no-store"
                 return response
 
     @app.after_request