feat: add TwoFactor base Warden strategy

Provide a base strategy that handles shared 2FA boilerplate: finding
the pending resource from session, calling verify_two_factor!,
restoring remember_me, and cleaning up session state on success.

Extensions subclass and implement valid? + verify_two_factor!. The
base strategy returns valid? false to prevent accidental use.

Author: santiagorodriguez96

lib/devise/strategies/two_factor.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    class TwoFactor < Base
+      # The base strategy is never used directly — extensions subclass it.
+      def valid?
+        false
+      end
+
+      def authenticate!
+        resource = find_pending_resource
+        return fail!(:two_factor_session_expired) unless resource
+
+        verify_two_factor!(resource)
+
+        unless halted?
+          restore_remember_me(resource)
+          resource.after_database_authentication
+          cleanup_two_factor_session!
+          success!(resource)
+        end
+      end
+
+      # Extensions must override. Should call fail! with a specific
+      # message on failure — this halts execution and triggers recall.
+      def verify_two_factor!(resource)
+        raise NotImplementedError
+      end
+
+      private
+
+      def find_pending_resource
+        return unless session[:devise_two_factor_resource_id]
+        mapping.to.where(id: session[:devise_two_factor_resource_id]).first
+      end
+
+      def restore_remember_me(resource)
+        resource.remember_me = session[:devise_two_factor_remember_me] if resource.respond_to?(:remember_me=)
+      end
+
+      def cleanup_two_factor_session!
+        session.delete(:devise_two_factor_resource_id)
+        session.delete(:devise_two_factor_remember_me)
+      end
+    end
+  end
+end