feat: implement device login approval system

Add a complete device authentication approval flow that allows users to approve login requests from new devices on their already-authenticated devices.

Core features:
- Create authentication requests when logging in from new devices
- Display pending requests with device info, IP address, and fingerprint phrases
- Approve or deny requests from web interface with real-time notifications
- Support multiple auth request types (authenticate & unlock, unlock only)
- Automatic expiration and cleanup of stale requests

Backend changes:
- Add auth_requests table with proper indexes for efficient queries
- Implement full CRUD API for authentication requests
- Add notification hub integration for real-time updates
- Add device fingerprint phrase generation for security verification

Frontend changes:
- Add AuthRequestApprovalDialog component for approving/denying requests
- Add PendingAuthRequestsPanel component to display and manage pending requests
- Integrate panels into Security and Settings pages
- Add fingerprint wordlist for generating human-readable verification phrases
- Update i18n translations for all supported languages

Security considerations:
- Access code verification to prevent unauthorized access
- Device fingerprint validation for additional security layer
- IP address and country tracking for audit purposes
- Automatic expiration of old requests (15 minutes)
- Only most recent request per device can be approved

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

webapp/src/lib/i18n/locales/en.ts

@@ -1172,7 +1172,22 @@ const en: Record<string, string> = {
   "txt_target": "Target",
   "txt_time": "Time",
   "txt_time_range": "Time range",
-  "txt_remove_domain": "Remove domain"
+  "txt_remove_domain": "Remove domain",
+  "txt_approve_device_login": "Approve device login",
+  "txt_auth_request_approve_message": "Unlock Bitwarden on your device or approve from the web app. Before approving, make sure the fingerprint phrase matches the one below.",
+  "txt_approve": "Approve",
+  "txt_approving": "Approving...",
+  "txt_deny": "Deny",
+  "txt_later": "Later",
+  "txt_pending_device_logins": "Pending device logins",
+  "txt_no_pending_device_logins": "No pending device logins",
+  "txt_fingerprint_phrase": "Fingerprint phrase",
+  "txt_auth_requests_load_failed": "Failed to load device login requests",
+  "txt_auth_request_update_failed": "Failed to update device login request",
+  "txt_auth_request_approved": "Device login approved",
+  "txt_auth_request_denied": "Device login denied",
+  "txt_auth_request_missing_public_key": "Device login request is missing a public key",
+  "txt_ip_address": "IP address"
 };
 
 export default en;

webapp/src/lib/i18n/locales/es.ts

@@ -1172,7 +1172,22 @@ const es: Record<string, string> = {
   "txt_target": "Destino",
   "txt_time": "Hora",
   "txt_time_range": "Rango de tiempo",
-  "txt_remove_domain": "Quitar dominio"
+  "txt_remove_domain": "Quitar dominio",
+  "txt_approve_device_login": "Aprobar inicio de sesión con dispositivo",
+  "txt_auth_request_approve_message": "Desbloquee Bitwarden en su dispositivo o apruebe desde la aplicación web. Antes de aprobar, asegúrese de que la frase de huella coincida con la siguiente.",
+  "txt_fingerprint_phrase": "Frase de huella",
+  "txt_ip_address": "Dirección IP",
+  "txt_approve": "Aprobar",
+  "txt_approving": "Aprobando...",
+  "txt_deny": "Denegar",
+  "txt_later": "Más tarde",
+  "txt_pending_device_logins": "Inicios de sesión con dispositivo pendientes",
+  "txt_no_pending_device_logins": "No hay inicios de sesión con dispositivo pendientes",
+  "txt_auth_requests_load_failed": "No se pudieron cargar las solicitudes de inicio de sesión con dispositivo",
+  "txt_auth_request_update_failed": "No se pudo actualizar la solicitud de inicio de sesión con dispositivo",
+  "txt_auth_request_approved": "Inicio de sesión con dispositivo aprobado",
+  "txt_auth_request_denied": "Inicio de sesión con dispositivo denegado",
+  "txt_auth_request_missing_public_key": "La solicitud de inicio de sesión con dispositivo no incluye una clave pública"
 };
 
 export default es;

webapp/src/lib/i18n/locales/ru.ts

@@ -1172,7 +1172,22 @@ const ru: Record<string, string> = {
   "txt_target": "Цель",
   "txt_time": "Время",
   "txt_time_range": "Период",
-  "txt_remove_domain": "Удалить домен"
+  "txt_remove_domain": "Удалить домен",
+  "txt_approve_device_login": "Подтвердить вход с устройства",
+  "txt_auth_request_approve_message": "Разблокируйте Bitwarden на устройстве или подтвердите вход через веб-приложение. Перед подтверждением убедитесь, что фраза отпечатка совпадает с указанной ниже.",
+  "txt_fingerprint_phrase": "Фраза отпечатка",
+  "txt_ip_address": "IP-адрес",
+  "txt_approve": "Подтвердить",
+  "txt_approving": "Подтверждение...",
+  "txt_deny": "Отклонить",
+  "txt_later": "Позже",
+  "txt_pending_device_logins": "Ожидающие входы с устройств",
+  "txt_no_pending_device_logins": "Нет ожидающих входов с устройств",
+  "txt_auth_requests_load_failed": "Не удалось загрузить запросы входа с устройств",
+  "txt_auth_request_update_failed": "Не удалось обновить запрос входа с устройства",
+  "txt_auth_request_approved": "Вход с устройства подтвержден",
+  "txt_auth_request_denied": "Вход с устройства отклонен",
+  "txt_auth_request_missing_public_key": "В запросе входа с устройства отсутствует открытый ключ"
 };
 
 export default ru;

webapp/src/lib/i18n/locales/zh-CN.ts

@@ -1172,7 +1172,22 @@ const zhCN: Record<string, string> = {
   "txt_target": "目标",
   "txt_time": "时间",
   "txt_time_range": "时间范围",
-  "txt_remove_domain": "移除域名"
+  "txt_remove_domain": "移除域名",
+  "txt_approve_device_login": "批准设备登录",
+  "txt_auth_request_approve_message": "解锁您设备上的 Bitwarden，或通过网页 App 批准。批准前，请确保指纹短语与下面的相匹配。",
+  "txt_approve": "批准",
+  "txt_approving": "正在批准...",
+  "txt_deny": "拒绝",
+  "txt_later": "稍后",
+  "txt_pending_device_logins": "待处理设备登录",
+  "txt_no_pending_device_logins": "没有待处理设备登录",
+  "txt_fingerprint_phrase": "指纹短语",
+  "txt_auth_requests_load_failed": "加载设备登录请求失败",
+  "txt_auth_request_update_failed": "更新设备登录请求失败",
+  "txt_auth_request_approved": "已批准设备登录",
+  "txt_auth_request_denied": "已拒绝设备登录",
+  "txt_auth_request_missing_public_key": "设备登录请求缺少公钥",
+  "txt_ip_address": "IP 地址"
 };
 
 export default zhCN;

webapp/src/lib/i18n/locales/zh-TW.ts

@@ -1172,7 +1172,22 @@ const zhTW: Record<string, string> = {
   "txt_target": "目標",
   "txt_time": "時間",
   "txt_time_range": "時間範圍",
-  "txt_remove_domain": "移除域名"
+  "txt_remove_domain": "移除域名",
+  "txt_approve_device_login": "批准裝置登入",
+  "txt_auth_request_approve_message": "解鎖您裝置上的 Bitwarden，或透過網頁 App 批准。批准前，請確保指紋短語與下面的相符。",
+  "txt_fingerprint_phrase": "指紋短語",
+  "txt_ip_address": "IP 位址",
+  "txt_approve": "批准",
+  "txt_approving": "正在批准...",
+  "txt_deny": "拒絕",
+  "txt_later": "稍後",
+  "txt_pending_device_logins": "待處理裝置登入",
+  "txt_no_pending_device_logins": "沒有待處理裝置登入",
+  "txt_auth_requests_load_failed": "載入裝置登入請求失敗",
+  "txt_auth_request_update_failed": "更新裝置登入請求失敗",
+  "txt_auth_request_approved": "已批准裝置登入",
+  "txt_auth_request_denied": "已拒絕裝置登入",
+  "txt_auth_request_missing_public_key": "裝置登入請求缺少公鑰"
 };
 
 export default zhTW;