Create a new temporary secret manager api

[brendanheywood]

This is designed so that any factors that need to store temporary secrets during the login flow can offload the bulk of this work to a central mfa api. Many factors will have almost identical requirements, ie a 6 digit random code which lasts for N minutes.

So proposing a few parts to the api

Create a secret

• [x] a new api something like create_secret($expires = seconds, bool $session, $secret = null,)
• [x] an expiry in seconds
• [x] a flag determines whether the secret should be tied to the current $USER session, or stored in the database and available across sessions (do we ever actually want them shared?)
• [x] the secret is usually empty and defaults to a 6 digit number code but a secret can be passed in

Validate a secret

• [x] Then a validate api validate_secret($secret). This checks the expiry, session, etc and returns either some status codes or maybe a partial array ready to slot into a mform validation method

Revoke a secret

• [x] Used if you got a code and it wasn't you. A revoke should be stored and this should result in the MFA being an explicit fail rather than a neutral

Enter a secret

• [x] a custom mform field type which improves on the UX slightly of the input to enter the secret, ie all the best practice around autocompleteion
• [x] increase the font size, fixed width font, expanded whitespace between chars
• [x] auto submission when N chars have been entered (defaults to 6)

Strings

• [x] It probably also makes sense to have a set of lang strings in the tool_mfa which the factors can choose to use instead of having repeated strings. ie if you have SMS, Telegram, Facebook all doing pretty well exactly the same thing you should not need to customize every string in each factor.

Factors which will probably use this:

• [x] SMS / SNS
• [ ] Email (needs the pass + revoke url api)
• [ ] Telegram (not yet landed)
• [ ] Other message apps in future eg Facebook / Whatsapp / Rocketchat

[brendanheywood]

fyi @Dagefoerde