fix: when changing email with email based 2FA enabled, fail fast

[netroms]

Summary

Throw an exception if a user with email-based 2FA enabled attempts to change their email address.
The user must be forced to disable their 2FA, before they can change their email address.
If this is not enforced, the consequence will be that the user no longer has a verified email, since the 2FA code only will be sent to a verified email address, the user will not be able to log in.

Automatic tests

• TwoFactorControllerTest

Manual test steps:

1. Enable email 2FA on a user
   1.1 Configure dhis.conf, set login.security.email_2fa.enabled = true
   1.2 Set up SMTP/email server in settings.
   1.3 Verify user email (user profile app)
   1.4 Enroll in email 2FA, POST http://localhost:8080/api/2fa/enrollEmail2FA (observe you get an email with a 2fa code)
   1.5 Call endpoint to enable email 2FA, POST http://localhost:8080/api/2fa/enable. (JSON payload: {"code": "THE_CODE_FROM_THE_EMAIL"} )
   1.6 Log out and try log in, observe you get an email with a 2FA code
2. Try to change the user's email via /me endpoint
3. Observe you get an error
4. Try to change the user's email via /user endpoint, as admin
5. Observe you get an error

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud