commit 84253f49cd1b6a6ace5e30c22eb18c9e9ed6bbb1
Author: Valerie Pomerleau
Date: Fri Aug 15 12:05:27 2025 -0700
feat(auth, settings): Move 2fa setup initial code validation server-side
Because:
* Delaying the 2fa code verification after recovery method confirmation could cause issues with expired codes
* We want to immediately verify the code server-side on code submission
This commit:
* Remove 2fa setup handling from session/verify/totp and only keep session verification handling
* Create new API endpoints to verify 2fa setup code and complete 2fa setup
* totp/setup/verify stores the verification status in Redis
* Update totp/create to use existing Redis secret on restart/refresh if not expired
* Add new handlers in fxa-client for new endpoints
* Update frontend to use new endpoints and remove client-side code verification
* Remove client-side otplib import
* Update tests
Closes #FXA-12128