Multi-factor authentication (#1817)

* Initial pass

* Tests for MFA and locale cleanup

* Brakeman

* Update two-factor authentication status styling

* Update app/models/user.rb

Co-authored-by: Zach Gollwitzer <zach@maybe.co>
Signed-off-by: Josh Pigford <josh@joshpigford.com>

* Refactor MFA verification and session handling in tests

---------

Signed-off-by: Josh Pigford <josh@joshpigford.com>
Co-authored-by: Zach Gollwitzer <zach@maybe.co>

test/controllers/sessions_controller_test.rb

@@ -13,6 +13,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
   test "can sign in" do
     sign_in @user
     assert_redirected_to root_url
+    assert Session.exists?(user_id: @user.id)
 
     get root_url
     assert_response :success
@@ -26,10 +27,14 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
   test "can sign out" do
     sign_in @user
+    session_record = @user.sessions.last
 
-    delete session_url(@user.sessions.order(:created_at).last)
+    delete session_url(session_record)
     assert_redirected_to new_session_path
     assert_equal "You have signed out successfully.", flash[:notice]
+
+    # Verify session is destroyed
+    assert_nil Session.find_by(id: session_record.id)
   end
 
   test "super admins can access the jobs page" do
@@ -42,4 +47,16 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     get good_job_url
     assert_response :not_found
   end
+
+  test "redirects to MFA verification when MFA enabled" do
+    @user.setup_mfa!
+    @user.enable_mfa!
+    @user.sessions.destroy_all # Clean up any existing sessions
+
+    post sessions_path, params: { email: @user.email, password: "password" }
+
+    assert_redirected_to verify_mfa_path
+    assert_equal @user.id, session[:mfa_user_id]
+    assert_not Session.exists?(user_id: @user.id)
+  end
 end