Add a middleware that takes a list of URLs / paths / regex patterns where MFA is enforced

[MarkusH]

This is a feature request that stems from #60.

Feature request

As a developer, I want to ensure that views under some URL path are protected with multi-factor authentication. For example, I want everything under /admin/ to be protected with MFA. When the user hasn't provided MFA credentials since they logged in, they're redirected to a view where they can provide an TOTP token, backup code, or WebAuthN. After a successful verification, they're then redirected to the originally requested page.

This ticket likely requires #68 before it can be implemented.

Implementation idea

One way I can imagine this to work, is a middleware that looks at the current request path and compares it to a list (or rather set) of paths or a set of regex patterns. Something along these lines:

MFA_URLS = {"/my-view/", "/another/path/to/a/view"}
MFA_REGEX_PATTERNS = [r"^/admin/", r"^/internal/.+/something/$"]

def ensure_mfa_middleware(get_response):
    regex = re.compile(r"|".join(MFA_REGEX_PATTERNS))

    def middleware(request):
        if not request.session.get("kagi_verified", False):  # See #68
            if request.path in MFA_URLS or regex.match(request.path):
                return redirect("kagi:verify-second-factor")

        response = get_response(request)
        return response

    return middleware