snapshot: preserve totp account security baseline

backend/workflows/models.py

@@ -2,6 +2,7 @@ from django.conf import settings
 from django.core.validators import FileExtensionValidator
 from django.db import models
 from django.utils.translation import get_language
+from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
 
@@ -39,6 +40,9 @@ class UserProfile(models.Model):
     department = models.CharField(max_length=255, blank=True, default='')
     location = models.CharField(max_length=255, blank=True, default='')
     contact_notes = models.CharField(max_length=255, blank=True, default='')
+    totp_secret = models.CharField(max_length=64, blank=True, default='')
+    totp_enabled = models.BooleanField(default=False)
+    totp_confirmed_at = models.DateTimeField(null=True, blank=True)
     updated_at = models.DateTimeField(auto_now=True)
 
     class Meta:
@@ -48,6 +52,18 @@ class UserProfile(models.Model):
     def __str__(self) -> str:
         return getattr(self.user, 'username', '') or str(self.user_id)
 
+    def disable_totp(self) -> None:
+        self.totp_secret = ''
+        self.totp_enabled = False
+        self.totp_confirmed_at = None
+        self.save(update_fields=['totp_secret', 'totp_enabled', 'totp_confirmed_at', 'updated_at'])
+
+    def enable_totp(self, secret: str) -> None:
+        self.totp_secret = secret
+        self.totp_enabled = True
+        self.totp_confirmed_at = timezone.now()
+        self.save(update_fields=['totp_secret', 'totp_enabled', 'totp_confirmed_at', 'updated_at'])
+
 
 class PortalBranding(models.Model):
     name = models.CharField(max_length=80, default='Default', unique=True)