Add 2FA support

[yubiuser]

What does this PR aim to accomplish?:

Adds handling of 2 factor authentication to PADD

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented my proposed changes within the code and I have tested my changes.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the EUPL 1.2 license
5. I have squashed any insignificant commits. (git rebase)
6. I have checked that another pull request for this purpose does not exist.
7. I have considered, and confirmed that this submission will be valuable to others.
8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
9. I give this submission freely, and claim no ownership to its content.

---

• I have read the above and my PR is ready for review. Check this box to confirm

[yubiuser]

If accepted, I'll backport it to https://github.com/pi-hole/pi-hole/blob/development/advanced/Scripts/api.sh

[PromoFaux]

Do we need this? I thought the whole point of the app password was to bypass 2FA for API usage?

[yubiuser]

Yes, the app password can bypass the 2FA, but users might not want to use it.

[mwoolweaver]

this still asks for 2fa even if running PADD as sudo on pihole device directly. i was under the impression that #392 made it so that no password (2fa as well?) needs to be provided if running as root or as a user is a member the pihole group.

without --2fa

sudo ./padd.sh --server pi.hole

so --2fa becomes required (can pass any number, even if more than 6 digits long) regardless of who is running PADD

sudo ./padd.sh --server pi.hole --2fa 0

or from any device with app password from api

./padd.sh --server pi.hole --secret <app-password> --2fa 0

if using WebUI password, --2fa must be valid

[yubiuser]

I pushed a small change that skipps 2FA if a CLI password is read. Thanks for testing.

[mwoolweaver]

tested with and without 2fa enabled on WebUI & running PADD on Pi-hole device and from other computers.

if 2FA is enabled, --2fa is only required when not using PADD from Pi-hole device as root, regardless of password that is provided as --secret.

if 2FA is not enabled on WebUI, PADD does not ask for second factor.

[yubiuser]

I think this is fine now as it is. I don't want to make the code to complicate to check for the app password as well. If users know they use the app password, they can just enter any number in the 2FA field.

[mwoolweaver]

If users know they use the app password, they can just enter any number in the 2FA field.

should it be explained somewhere that when using the app password, the 2fa field can be any number?

or a better way to say it would be

--2fa only needs to be valid when using WebUI password.

[DL6ER]

I guess this is good to go:

• On the same machine with cli_pw - immediate login (with and without 2FA) ✔️
• On the same machine without cli_pw - tried with a wrong and once with a reused (already used on the web interface) 2FA, both as expected ✔️
  
• On the same machine without cli_pw - with correct 2FA ✔️
• From a different machine, using the app password and entering any number ✔️