Implement an optional two-factor-like authentication mechanism

[vdombrovski]

Problem Statement

Currently, when a peer key is delivered to the user, it will never expire unless an administrator sets an expiry date manually or disables it. This could become tedious to manage and unfortunately doesn't protect the system whenever a peer key is stolen and reused by a malicious actor.

This feature adds an additional layer, requiring users to re-authenticate to the WG-portal UI (supposedly made public) at regular intervals, guaranteeing that when a peer key is stolen, the malicious actor won't be able to connect after some time unless they are also in possession of the users credentials (either local or LDAP/SSO), and without any manual action from an administrator.

Related Issue

N/A this is a new feature.

Proposed Changes

• Implement a new parameter called two_factor_lifetime, which controls the time after which the peer expires. In the backend this connects directly into the existing "expiration" mechanism, so that minimal code changes are required
• Also adds a fix to the log-out page redirection, since a complete logout/login cycle must happen to enable the peers.
• Finally, this updates the ExpiryDateTimeLayout to include hours/minutes/seconds, so that the users are shown precise data regarding when their peers will next expire.

Checklist

• Commits are signed with git commit --signoff
• Changes have reasonable test coverage
• Tests pass with make test
• Helm docs are up-to-date with make helm-docs