Distinguish 'done' from 'configuring' in 2FA

[mrvahedi68]

• Resolves: Confusing variable name in 2FA #35554

Summary

When there is a token in the session for which the user is still setting up 2FA, setting self::SESSION_UID_DONE ("two_factor_auth_passed") is a misnomer.

AFAICT, everything works fine if you set nothing into the session and just return 'false' from this if-statement, but in case there is some code (now or in the future) that needs to know if the user is configuring 2FA, to play it safe I would suggest storing self::SESSION_UID_CONFIGURING ("two_factor_auth_configuring") into the session.

TODO

• add tests
• test manually
• consider removing this session variable once configuration is successfully completed

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[michielbdejong]

Can someone review this please?
@miaulalala you already gave this code a "looks good", this is the rebase you requested.

[mickenordin]

Is there anything blocking the merge of this? It would be great if this could be merged.

[ChristophWurst]

See the open todos in the PR description

[ChristophWurst]

For the tests: let's also add one that tests the change of session data IDs during an authentication. That can happen when an instance is upgraded in the middle of a user's authentication attempt.

[sorbaugh]

Hello @michielbdejong, I'm reopening your PR and requesting reviews! :) Is there anything left blocking you? We'd like to help you get this one in!