Build Your Own Auth System

Build me a complete authentication system with the following specifications:

## Tech Stack
- Next.js 14 with App Router
- NextAuth.js v5 (Auth.js)
- Prisma with PostgreSQL
- Tailwind CSS + shadcn/ui
- Resend for emails

## Core Features

### 1. Email/Password Auth
- Signup with email, password, name
- Login with email/password
- Password hashing with bcrypt
- Email verification flow
- Password reset via email

### 2. OAuth Providers
- Google OAuth
- GitHub OAuth
- Easy to add more providers

### 3. Session Management
- JWT-based sessions
- Secure httpOnly cookies
- Session expiration (7 days default)
- "Remember me" option (30 days)
- Logout from all devices

### 4. User Profile
- View/edit profile
- Change password
- Connected accounts (OAuth)
- Delete account

### 5. Security Features
- Rate limiting on auth endpoints
- CSRF protection
- Secure password requirements
- Account lockout after failed attempts
- Audit log of auth events

### 6. UI Pages
- /login - Login form
- /signup - Registration form
- /forgot-password - Request reset
- /reset-password - Set new password
- /verify-email - Email verification
- /profile - User settings

## Database Schema
```prisma
model User {
  id            String    @id @default(cuid())
  email         String    @unique
  emailVerified DateTime?
  password      String?   // null for OAuth-only users
  name          String?
  image         String?
  accounts      Account[]
  sessions      Session[]
  createdAt     DateTime  @default(now())
  updatedAt     DateTime  @updatedAt
}

model Account {
  id                String  @id @default(cuid())
  userId            String
  type              String
  provider          String
  providerAccountId String
  refresh_token     String?
  access_token      String?
  expires_at        Int?
  token_type        String?
  scope             String?
  id_token          String?
  user              User    @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@unique([provider, providerAccountId])
}

model Session {
  id           String   @id @default(cuid())
  sessionToken String   @unique
  userId       String
  expires      DateTime
  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
}

model VerificationToken {
  identifier String
  token      String   @unique
  expires    DateTime

  @@unique([identifier, token])
}

model PasswordResetToken {
  id      String   @id @default(cuid())
  email   String
  token   String   @unique
  expires DateTime
  
  @@unique([email, token])
}
```

## Email Templates
- Verification email (with link)
- Password reset email
- Welcome email after signup

## API Routes
```
POST /api/auth/signup - Create account
POST /api/auth/verify-email - Verify email token
POST /api/auth/forgot-password - Request password reset
POST /api/auth/reset-password - Set new password
GET  /api/auth/session - Get current session
POST /api/auth/signout - Logout
```

## Security Considerations
- Never store plain text passwords
- Use secure random tokens
- Set proper CORS headers
- Validate all inputs with Zod
- Use parameterized queries (Prisma handles this)

## UI Requirements
- Clean, centered auth forms
- Password strength indicator
- Show/hide password toggle
- Loading states
- Clear error messages
- Mobile responsive

Please generate all files. Start with NextAuth config and the core auth pages.

Add TOTP-based 2FA:
- Settings page to enable/disable 2FA
- QR code generation for authenticator apps
- Backup codes (one-time use)
- 2FA prompt during login
- Remember device for 30 days option

Add passwordless login option:
- Enter email, receive magic link
- Link expires after 15 minutes
- One-time use tokens
- Option to set password later