Issue #58 — Backend: Manage TOTP Provider

[yusuftomilola]

Location: backend/src/auth/providers/manage-totp.provider.ts

Description

Members need two additional management capabilities after enabling 2FA: the ability to check their current 2FA status (whether it is enabled and how many backup codes remain) and the ability to disable it entirely by confirming their password. Disabling 2FA must require password confirmation to prevent an attacker with a stolen session from silently removing the second factor.

Acceptance Criteria

• A ManageTotpProvider class is created at backend/src/auth/providers/manage-totp.provider.ts
• A get2faStatus(userId: string) method:
  • Loads the user — throws NotFoundException if not found
  • Returns { enabled: boolean, backupCodesRemaining: number } where backupCodesRemaining is user.totpBackupCodes?.length ?? 0
• A disable2fa(userId: string, password: string) method:
  • Loads the user — throws NotFoundException if not found
  • Throws BadRequestException if twoFactorEnabled is already false
  • Verifies the provided password against user.password using the existing hashingProvider.comparePassword() (or equivalent) — throws UnauthorizedException with "Invalid password" if it does not match
  • Sets user.twoFactorEnabled = false, user.totpSecret = null, user.totpBackupCodes = null and saves
  • Returns { message: "Two-factor authentication has been disabled" }
• ManageTotpProvider is registered in backend/src/auth/auth.module.ts
• npx tsc --noEmit passes with no errors