Add MFA protection to several pages of the PAUSE

[charsbar]

This is a replacement of https://github.com/wolfsage/pause/pull/5 . It should work, but we need some discussion before proceeding.

• Where should be put uploaded files before we move them into incoming? (currently /tmp)
• Messages in email/html
• Cronjob to clean up temporary files
• How many times should we allow users to enter an auth code?
• Where should we add protection to?
• Needs tests!
• How to communicate with uploader CLIs
• and probably more!

New configuration options are (for now):

• INCOMING_TMP: where uploaded files from MFA-enabled users are temporary put
• MFA_ISSUER: a name you'll see in your authenticator app

[rjbs]

I think I more or less understand this, but I have some questions about what our longer-term plan is or should be. Rolling this out as a temporary security measure seems okay to me, but I think we'd get a lot more value out of real API tokens for uploading and for real sessions that can be re-authenticated. I know that's not going to happen in the next two days, but maybe we can discuss approving that as the next goal tomorrow.

What I'd actually love to see is something like a paragraph explaining (to the users who will have to use this) how it's meant to work. We'll need to show them something like this when it changes, and also it'd help me understand whether this is all going to work right!

[wolfsage]

I think there's a few real problems to fix, but otherwise this would be a good thing to do.

I have reservations about using Auth::GoogleAuth's qr_code image links.

I think we could relatively easily add a full set of tests to make sure the behaviour works as we expect so we don't have to hand test things every time. (You could inject a known totp secret into a test user, and either optionally provide a way (if tests don't already have it)) to fake the current time, or modify things so you can inject a timestamp into the totp stuff so we can have consistent tokens to test against)