directory server cannot know the source of the requesting client.
there are 3 sources - external app, cloudron app, cloudron dashboard.
the 2fa is requested by client by passing `+totpToken=xxx` . totpToken
is ignored if the user has no 2fa setup. If present, it is validated.
initially, the idea was to make the server enforce it. this is more secure. however,
we have 3 kinds of clients - an external cloudron dashboard which needs totp,
an external cloudron app, which doesn't have totp and external apps that don't have totp either.
given that the directory server is IP restricted, this is a reasonable compromise until
we move wholesale to oidc.
a directoryserver setting like "enforce totp" also does not work since this policy will be
applied to all clients.
Girish Ramakrishnan