add auth security foundation

[BigBen-7]

Summary

• add JWT authentication with access and refresh tokens plus logout blacklisting
• add TOTP-based 2FA setup, verification, disable flow, and backup codes
• add API key creation, validation, rotation, and revocation
• add password history enforcement and supporting Prisma schema changes

Why

These four assigned security issues all touch the same auth surface area, so landing them together keeps the schema, API design, and security behavior consistent.

Impact

• users can register, log in, refresh sessions, and log out with revocable JWTs
• users can enable 2FA and use backup codes during sign-in
• third-party integrations can authenticate with managed API keys
• password reuse is blocked across the configured password history window

Validation

• npm install
• npx prisma generate
• npm run build

Closes #285
Closes #294
Closes #295
Closes #296

[drips-wave]

@BigBen-7 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits