feat(api/v2): implement TOTP session check (#6362)

* feat(api/v2): implement TOTP session check

* add integration test

* correct typo in projection test

* fix event type typos

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

proto/zitadel/session/v2alpha/session.proto

@@ -46,6 +46,7 @@ message Factors {
   PasswordFactor password = 2;
   WebAuthNFactor web_auth_n = 3;
   IntentFactor intent = 4;
+  TOTPFactor totp = 5;
 }
 
 message UserFactor {
@@ -101,6 +102,14 @@ message WebAuthNFactor {
   bool user_verified = 2;
 }
 
+message TOTPFactor {
+  google.protobuf.Timestamp verified_at = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "\"time when the Time-based One-Time Password was last checked\"";
+    }
+  ];
+}
+
 message SearchQuery {
   oneof query {
     option (validate.required) = true;

proto/zitadel/session/v2alpha/session_service.proto

@@ -346,6 +346,11 @@ message Checks {
       description: "\"Checks the intent. Requires that the userlink is already checked and a successful intent.\"";
     }
   ];
+  optional CheckTOTP totp = 5 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "\"Checks the Time-based One-Time Password and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
+    }
+  ];
 }
 
 message CheckUser {
@@ -412,3 +417,14 @@ message CheckIntent {
     }
   ];
 }
+
+message CheckTOTP {
+  string totp = 1 [
+    (validate.rules).string = {min_len: 6, max_len: 6},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 6;
+      max_length: 6;
+      example: "\"323764\"";
+    }
+  ];
+}