Require 2fa for some roles

[apstanisic]

This can be done in sign-in method, if user must have 2fa, on successful sign in, redirect to admin panel page where user has to create 2fa token. But that means that there needs to be another endpoint that will accept this for not signed in user, with special token.

Best option: On sign in, show dialog with steps to enable 2fa. API will return token that is valid for 5 minutes, similarly to normal 2fa setup. But this token will enable changing 2fa data without user being signed in. After that. Send sign in request again, since we will have email, password, and 6 digits code in memory state.

Where to check if 2fa is required.

• It can be added as permission, simply check if role has permission to requireMfa. This would allow some special condition to be created, and it flows good with current code.
• Add another column with zmaj_roles. Safer option, but does not allow customizing condition when 2fa is required

[apstanisic]

It should not be added as permission, since it's not a permission, it's requirement. For example, users permission allows user to access users data, admin panel permission allows access to admin panel. This is not a permission, this is a requirement. So it should be a simple boolean column