feat: 2fa backup codes

[akshayutture-augment]

Test 3

---

Replicated from ai-code-review-evaluation/cal.com-cursor#3

---

Note

Introduce 2FA backup codes with UI, API, auth, and DB changes to generate, use, and manage codes during login and 2FA enable/disable.

• Auth/UI:
  • Add BackupCode input component and integrate into login and disable-2FA flows with a "lost access" toggle.
  • Enhance TwoFactor component with optional autoFocus prop.
  • Update enable-2FA modal to display generated backup codes, and provide copy/download/close actions.
  • Use PasswordField in relevant modals; minor accessibility tweak (toggle button tabIndex=-1).
• Backend/API:
  • POST /api/auth/two-factor/totp/setup: generate 10 encrypted backup codes; return them with QR/secret; persist to user.
  • POST /api/auth/two-factor/totp/disable: accept backupCode as alternative to TOTP; validate; clear backupCodes on success; improved error handling.
  • TwoFactorAuthAPI.disable now sends { password, code, backupCode }.
• Authentication (NextAuth):
  • Credentials provider accepts backupCode; decrypts/validates; invalidates used code; expanded error codes.
• Database:
  • Add users.backupCodes column (encrypted JSON) via migration; update Prisma schema.
• i18n:
  • Add strings for backup codes, errors, and related UI text.
• Tests:
  • Extend 2FA e2e to verify backup code UI (download/copy) during enable flow.

^{Written by Cursor Bugbot for commit a308075. Configure here.}

[akshayutture-augment]

cursor review

[cursor]

Bug: Memory Leak: Unrevoked Blob URLs

The resetState function doesn't revoke the blob URL stored in backupCodesUrl, causing a memory leak. When the modal closes or resets, the blob URL created on line 99 remains in memory. The cleanup should call URL.revokeObjectURL(backupCodesUrl) before resetting state, and ideally also in a cleanup effect when the component unmounts.