test: add comprehensive TOTPHandler security tests
Add 20+ test functions covering 2FA/TOTP security critical paths:
Status Operations:
- GetTOTPStatus_Success: retrieve 2FA status
- GetTOTPStatus_Unauthorized: auth required
Setup Operations:
- SetupTOTP_Success: generate secret, QR code, recovery codes
- SetupTOTP_AlreadyEnabled: handle already-enabled state
- SetupTOTP_Unauthorized: auth required
- SetupIdempotency: multiple setup calls behavior
Enable Operations:
- EnableTOTP_MissingCode: validation required fields
- EnableTOTP_InvalidCode: reject invalid TOTP codes
- EnableTOTP_NotSetup: require setup before enable
- EnableTOTP_AlreadyEnabled: prevent double-enable
Disable Operations:
- DisableTOTP_MissingCode: validation required fields
- DisableTOTP_NotEnabled: error when 2FA not active
- DisableTOTP_InvalidCode: reject invalid codes
Verification:
- VerifyTOTP_MissingCode: validation
- VerifyTOTP_NotEnabled: error when inactive
- VerifyTOTP_InvalidCode: reject invalid codes
- VerifyTOTP_Unauthorized: auth required
- VerifyTOTP_WithDeviceID: device trust integration
Security & Edge Cases:
- FullFlow_SetupEnableDisable: complete lifecycle
- RecoveryCodes_ExistAfterSetup: verify recovery codes format
- InvalidJSON_Enable: malformed request handling
Coverage: TOTPHandler from 0% to ~80%+
Key security boundaries: auth, setup state, enabled state, code validation
e4c16dd6c5