=== 2FA API Usage Example ===

1. User Registration:
POST /api/register
Request: {
  "email": "user@example.com",
  "password": "password123",
  "role": 2,
  "first_name": "John",
  "last_name": "Doe",
  "company": "Acme Inc"
}

2. Normal Login:
POST /api/login
Request: {
  "email": "user@example.com",
  "password": "password123"
}
Response: {
  "success": true,
  "data": {
    "access_token": "1|abc123..."
  }
}

3. Setup 2FA:
POST /api/2fa/setup
Headers: {
  "Authorization": "Bearer 1|abc123..."
}
Response: {
  "success": true,
  "data": {
    "secret": "JBSWY3DPEHPK3PXP",
    "qr_code_url": "https://api.qrserver.com/v1/create-qr-code/?data=...",
    "backup_codes": ["ABCD1234", "EFGH5678", ...]
  }
}

4. Verify 2FA Setup:
POST /api/2fa/verify-setup
Headers: {
  "Authorization": "Bearer 1|abc123..."
}
Request: {
  "secret": "JBSWY3DPEHPK3PXP",
  "code": "123456"
}
Response: {
  "success": true,
  "message": "2FA enabled successfully"
}

5. Login with 2FA:
POST /api/2fa/verify
Request: {
  "email": "user@example.com",
  "password": "password123",
  "code": "123456"
}
Response: {
  "success": true,
  "data": {
    "access_token": "2|def456...",
    "user": { ... }
  }
}

6. Disable 2FA:
POST /api/2fa/disable
Headers: {
  "Authorization": "Bearer 2|def456..."
}
Request: {
  "password": "password123",
  "code": "123456"
}
Response: {
  "success": true,
  "message": "2FA disabled successfully"
}

=== Notes ===
- QR codes can be scanned with Google Authenticator, Authy, etc.
- Backup codes are one-time use codes for account recovery
- All sensitive data is encrypted and secured
- Rate limiting should be implemented on login attempts
- Store backup codes securely and show them to user only once

=== Frontend Integration Tips ===
1. Display QR code prominently during setup
2. Show backup codes with clear instructions
3. Implement proper error handling for invalid codes
4. Add countdown timer for TOTP codes
5. Store auth tokens securely
6. Handle token refresh properly
7. Implement proper logout functionality