fix: P0-07 complete frontend TOTP login flow

Backend changes:
- Add VerifyTOTPAfterPasswordLogin handler in auth_handler.go
- Add route /auth/login/totp-verify in router.go

Frontend changes:
- Update TokenBundle type to include requires_totp and user_id fields
- Add TOTPVerifyRequest type for TOTP verification
- Add verifyTOTPAfterPasswordLogin() API function

New login flow when user has TOTP enabled:
1. loginByPassword returns {requires_totp: true, user_id: <id>}
2. Frontend prompts user for TOTP code
3. Frontend calls verifyTOTPAfterPasswordLogin({user_id, code})
4. If TOTP valid, full TokenBundle with tokens is returned

frontend/admin/src/services/auth.ts

@@ -16,6 +16,7 @@ import type {
   SendEmailCodeRequest,
   SendSmsCodeRequest,
   TokenBundle,
+  TOTPVerifyRequest,
   ValidateResetTokenResponse,
 } from '@/types'
 
@@ -40,6 +41,11 @@ export function loginByPassword(data: LoginByPasswordRequest): Promise<TokenBund
   return post<TokenBundle>('/auth/login', data, { auth: false, credentials: 'include' })
 }
 
+// Verify TOTP after password login when requires_totp is returned
+export function verifyTOTPAfterPasswordLogin(data: TOTPVerifyRequest): Promise<TokenBundle> {
+  return post<TokenBundle>('/auth/login/totp-verify', data, { auth: false, credentials: 'include' })
+}
+
 export function loginByEmailCode(data: LoginByEmailCodeRequest): Promise<TokenBundle> {
   return post<TokenBundle>('/auth/login/email-code', data, { auth: false, credentials: 'include' })
 }

frontend/admin/src/types/auth.ts

@@ -15,6 +15,16 @@ export interface TokenBundle {
   refresh_token?: string
   expires_in: number
   user: SessionUser
+  // TOTP required response (when user has TOTP enabled but device is not trusted)
+  requires_totp?: boolean
+  user_id?: number
+}
+
+// TOTP verification request after password login
+export interface TOTPVerifyRequest {
+  user_id: number
+  code: string
+  device_id?: string
 }
 
 export interface OAuthProviderInfo {