luci-app-2fa: init checkin

[Tokisaki-Galaxy]

• This PR is not from my main or master branch 💩, but a separate branch ✅
• Each commit has a valid ✒️ Signed-off-by: <my@email.address> row (via git commit --signoff)
• Each commit and PR title has a valid 📝 <package name>: title first line subject for packages
• (N/A) Incremented 🆙 any PKG_VERSION in the Makefile
• Tested on: (architecture, openwrt version, browser) ✅
• ( Preferred ) Screenshot or mp4 of changes:
• ( Optional ) Closes:
  [POC,WIP] Implement 2-Factor Authentication with TOTP or HOTP #7069
  Feature request: Support for Passkey (WebAuthn) authentication in LuCI #8273
• ( Optional ) Depends on: openwrt/luci luci-base: add generic authentication plugin mechanism #8281
• Description: (describe the changes proposed in this PR)

the app must changed LuCI core file because:

• No hook point exists between password verification and session creation
• External packages cannot inject authentication logic
• No plugin discovery mechanism in the original code

---

Security Measures

Constant-time string comparison to prevent timing attacks
Username sanitization to prevent command injection
Array-based popen to prevent shell injection
OTP format validation (exactly 6 digits)
Session destroyed if 2FA verification fails
Uses authenticated session username to prevent bypass attacks

origin repo https://github.com/Tokisaki-Galaxy/luci-app-2fa

[Neustradamus]

@Tokisaki-Galaxy: Nice, good job!

Do not forget to solve:

🔶 Author name (Tokisaki-Galaxy) seems to be a nickname or an alias
🔶 Committer name (Tokisaki-Galaxy) seems to be a nickname or an alias

[stangri]

Looks very polished @Tokisaki-Galaxy!

Does this use TOTP? If the OpenWrt device doesn't have RTC and is offline or generally doesn't have correct time, does SSH become the only option to login?

Is there a README/instructions (ideally a hint on failed attempt) on how to disable 2FA from SSH/CLI for people who may be locked out of WebUI and can't read code ahead of time?

[Tokisaki-Galaxy]

At present, we are dealing with the interface logic of interaction with luci core #8281 and the logic of app should be put aside first.
The draft of pr is submitted now to collect opinions and facilitate understanding of pr 8281.

At present, my rough goal is
Use TOTP/HOTP (but since most 2fa validators are designed for TOTP, I plan to do it after completing all the functions of TOTP).
Modify the process to verify whether the user's 2FA is saved when starting 2FA.

• Full-Support TOTP
• User-defined 2FA frequency and rules
• IP whitelist
• Time-based access restriction
  ...
• Support HOTP

When abnormal time is detected under TOTP, 2FA will be automatically disabled, so as to minimize the user's inability to log in and need to be manually disabled through ssh.