Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation

app/models/user.rb

@@ -1,4 +1,7 @@
 class User < ApplicationRecord
+  # Encrypt TOTP secrets at rest (key derived from SECRET_KEY_BASE)
+  encrypts :totp_secret
+
   has_secure_password
   has_many :sessions, dependent: :destroy
   has_many :user_groups, dependent: :destroy