Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user

app/models/oidc_user_consent.rb

@@ -6,6 +6,7 @@ class OidcUserConsent < ApplicationRecord
   validates :user_id, uniqueness: { scope: :application_id }
 
   before_validation :set_granted_at, on: :create
+  before_validation :set_sid, on: :create
 
   # Parse scopes_granted into an array
   def scopes
@@ -44,9 +45,18 @@ class OidcUserConsent < ApplicationRecord
     end.join(', ')
   end
 
+  # Find consent by SID
+  def self.find_by_sid(sid)
+    find_by(sid: sid)
+  end
+
   private
 
   def set_granted_at
     self.granted_at ||= Time.current
   end
+
+  def set_sid
+    self.sid ||= SecureRandom.uuid
+  end
 end

app/models/user.rb

@@ -44,7 +44,9 @@ class User < ApplicationRecord
   end
 
   def disable_totp!
-    update!(totp_secret: nil, totp_required: false, backup_codes: nil)
+    # Note: This does NOT clear totp_required flag
+    # Admins control that flag via admin panel, users cannot remove admin-required 2FA
+    update!(totp_secret: nil, backup_codes: nil)
   end
 
   def totp_provisioning_uri(issuer: "Clinch")