feat(auth): implement TOTP two-factor authentication with enrollment and verification

Adds TOTP (Time-based One-Time Password) two-factor authentication support including:
- New TOTP service with secret generation, QR code provisioning, and code verification
- New auth endpoints for enrollment, verification, status, and backup code management
- New TOTP authentication method type and user methods for TOTP management
- Backup codes generation and verification for account recovery
- Updated OIDC endpoints with timezone-aware datetime handling and RFC-compliant responses
- Added "roles" scope support for OIDC userinfo and ID tokens
- New pyotp dependency for TOTP operations
- Comprehensive unit tests for TOTP service

app/schemas/auth_schema.py

@@ -55,3 +55,34 @@ class ResetPasswordSchema(Schema):
         """Validate that passwords match."""
         if data.get("password") != data.get("password_confirm"):
             raise ValidationError("Passwords do not match", field_name="password_confirm")
+
+
+class TOTPVerifyEnrollmentSchema(Schema):
+    """Schema for TOTP enrollment verification."""
+
+    code = fields.Str(
+        required=True,
+        validate=validate.Regexp(
+            r"^\d{6}$",
+            error="Code must be a 6-digit number",
+        ),
+    )
+
+
+class TOTPVerifySchema(Schema):
+    """Schema for TOTP code verification during login."""
+
+    code = fields.Str(required=True)
+    is_backup_code = fields.Bool(missing=False)
+
+
+class TOTPDisableSchema(Schema):
+    """Schema for disabling TOTP."""
+
+    password = fields.Str(required=True, validate=validate.Length(min=1))
+
+
+class TOTPRegenerateBackupCodesSchema(Schema):
+    """Schema for regenerating backup codes."""
+
+    password = fields.Str(required=True, validate=validate.Length(min=1))