Auth: Auto-enforce AAL2 at API gateway level for MFA-enrolled users
The user requests a feature to automatically enforce AAL2 for MFA-enrolled users at the API gateway level. Currently, Supabase accepts `aal1` JWTs even when a user has enrolled a TOTP factor, which can be bypassed by attackers with a user's password. The user suggests a project-level or user-level setting to reject `aal1` tokens for MFA-enrolled users, enhancing security by preventing data exfiltration through API queries.