FEATURE: Implement 2factor login TOTP

implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts

spec/controllers/session_controller_spec.rb

@@ -584,6 +584,39 @@ describe SessionController do
         end
       end
 
+      context 'when user has 2-factor logins' do
+        second_factor_data = "rcyryaqage3jexfj"
+        before do
+          user.user_second_factor = UserSecondFactor.create(user_id: user.id, method: "totp", data: second_factor_data, enabled: true)
+        end
+
+        describe 'failure no 2-factor' do
+          it 'should return an error' do
+            post :create, params: {
+                   login: user.username, password: 'myawesomepassword'
+                 }, format: :json
+            expect(JSON.parse(response.body)['error']).to eq(I18n.t('login.invalid_second_factor_code'))
+          end
+        end
+        describe 'successful 2-factor' do
+          it 'logs in correctly' do
+            events = DiscourseEvent.track_events do
+              post :create, params: {
+                     login: user.username, password: 'myawesomepassword', second_factor_token: ROTP::TOTP.new(second_factor_data).now
+                   }, format: :json
+            end
+
+            expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
+
+            user.reload
+
+            expect(session[:current_user_id]).to eq(user.id)
+            expect(user.user_auth_tokens.count).to eq(1)
+            expect(UserAuthToken.hash_token(cookies[:_t])).to eq(user.user_auth_tokens.first.auth_token)
+          end
+        end
+      end
+
       describe 'with a blocked IP' do
         before do
           screened_ip = Fabricate(:screened_ip_address)
@@ -777,6 +810,26 @@ describe SessionController do
           login: user.username, password: 'myawesomepassword'
         }, format: :json
 
+        expect(response).not_to be_success
+        json = JSON.parse(response.body)
+        expect(json["error_type"]).to eq("rate_limit")
+      end
+      it 'rate limits second factor attempts' do
+        RateLimiter.enable
+        RateLimiter.clear_all!
+
+        3.times do
+          post :create, params: {
+                 login: user.username, password: 'myawesomepassword', second_factor_token: '000000'
+               }, format: :json
+
+          expect(response).to be_success
+        end
+
+        post :create, params: {
+               login: user.username, password: 'myawesomepassword', second_factor_token: '000000'
+             }, format: :json
+
         expect(response).not_to be_success
         json = JSON.parse(response.body)
         expect(json["error_type"]).to eq("rate_limit")