chore: migrate 2FA TOTP DDP methods to /v1/users.totp.* REST endpoints

[ggazzo]

Summary

Continues the DDP→REST sweep (#40659, #40711, #40675, #40724, #40728). This batch migrates the five 2fa:* TOTP DDP methods that backed account/security/TwoFactorTOTP. DDP methods stay registered for external SDK/mobile clients with deprecation logs pointing at the new routes.

New endpoints

DDP method	REST endpoint	Body	Response
2fa:enable	POST /v1/users.totp.enable	—	{ secret, url }
2fa:disable	POST /v1/users.totp.disable	{ code }	{ disabled }
2fa:validateTempToken	POST /v1/users.totp.validate	{ code }	{ codes }
2fa:regenerateCodes	POST /v1/users.totp.regenerateCodes	{ code }	{ codes }
2fa:checkCodesRemaining	GET /v1/users.totp.codesRemaining	—	{ remaining }

All five extract the original method body into a shared function (apps/meteor/app/2fa/server/functions/totp.ts) reused by both DDP + REST entrypoints.

Validate flow note

validate keeps the DDP-era post-enable login-token rotation: REST forwards the caller's X-Auth-Token (this.token) so non-PAT tokens get revoked just like the DDP path did via this.connection.httpHeaders['x-auth-token'].

Client changes

TwoFactorTOTP.tsx swapped five useMethod hooks for five useEndpoint hooks. Disable response shape changed from bare boolean to { disabled: boolean }; verify/regenerate continue to return { codes }.

Test plan

• CI green (lint + typecheck pass)
• Account → Security → Two-factor authentication → toggle on → QR appears, scan, verify code → backup codes modal renders
• Re-load page → "You have N codes remaining" reads right
• Regenerate backup codes → modal with new codes
• Toggle 2FA off → enter current code → success toast; reload to confirm disabled state
• Validate path revokes other login tokens (open second tab, validate, second tab gets kicked)

🤖 Generated with Claude Code

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 1be9c7b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@rocket.chat/meteor	Minor
@rocket.chat/rest-typings	Minor
@rocket.chat/core-typings	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dd80781a-96f8-4043-8751-ac8c2610ab6a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.75%. Comparing base (b92bcc7) to head (1be9c7b).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40734      +/-   ##
===========================================
- Coverage    69.76%   69.75%   -0.01%     
===========================================
  Files         3327     3327              
  Lines       123134   123134              
  Branches     21963    21909      -54     
===========================================
- Hits         85902    85893       -9     
- Misses       33873    33881       +8     
- Partials      3359     3360       +1     

Flag	Coverage Δ
e2e	59.37% <50.00%> (-0.02%)	⬇️
e2e-api	46.95% <ø> (+0.82%)	⬆️
unit	70.44% <ø> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.