feat(auth): implement TOTP two-factor authentication with enrollment and verification

Adds TOTP (Time-based One-Time Password) two-factor authentication support including:
- New TOTP service with secret generation, QR code provisioning, and code verification
- New auth endpoints for enrollment, verification, status, and backup code management
- New TOTP authentication method type and user methods for TOTP management
- Backup codes generation and verification for account recovery
- Updated OIDC endpoints with timezone-aware datetime handling and RFC-compliant responses
- Added "roles" scope support for OIDC userinfo and ID tokens
- New pyotp dependency for TOTP operations
- Comprehensive unit tests for TOTP service

app/services/oidc_session_service.py

@@ -3,6 +3,7 @@ import secrets
 from datetime import datetime, timedelta
 from typing import Dict, Optional, Tuple
 
+from datetime import timezone
 from flask import current_app, g
 
 from app.extensions import db
@@ -219,11 +220,11 @@ class OIDCSessionService:
         """
         from datetime import timedelta
         
-        cutoff = datetime.utcnow() - timedelta(hours=older_than_hours)
+        cutoff = datetime.now(timezone.utc) - timedelta(hours=older_than_hours)
         
         # Get expired sessions
         expired_sessions = OIDCSession.query.filter(
-            OIDCSession.expires_at < datetime.utcnow(),
+            OIDCSession.expires_at < datetime.now(timezone.utc),
             OIDCSession.deleted_at == None
         ).all()