Add TOTP Two-Factor Authentication for Admin Accounts

[smileoniks-ctrl]

Summary

Implements Time-based One-Time Password (TOTP) two-factor authentication for administrative accounts, including self-service TOTP management in settings and protection for critical operations like password changes.

Files Changed

File	Changes
src/services/totpService.js	+63 lines — new TOTP service
src/routes/panel.js	+576 lines — TOTP authentication endpoints
src/models/adminModel.js	+84 lines — TOTP fields in admin model
views/totp-verify.ejs	+88 lines — TOTP verification page
views/settings.ejs	+83 lines — TOTP management UI
views/setup.ejs	+12 lines
src/locales/en.json	+32 lines
src/locales/ru.json	+32 lines
index.js	+97 lines
package.json / package-lock.json	TOTP dependencies
Total: +1,070 / -90 lines across 11 files

Features

Optional TOTP Authentication for Admins

• Login flow with TOTP code verification
• QR code setup for authenticator apps (Google Authenticator, Authy, etc.)

Self-Service TOTP Management

• Enable/disable TOTP from settings page
• Regenerate secret key
• Display QR code and manual secret entry

Password Change Protection

• Requires TOTP confirmation when changing admin password

Commits

• 6d75215 feat: add optional admin TOTP authentication flow
• c233297 feat: add self-service TOTP management in settings
• 400ad32 fix: require TOTP confirmation for password change

Security Considerations

• TOTP secrets stored securely in database
• Session invalidation on TOTP enable/disable
• Protection against brute-force on TOTP verification