relax mfa checks on service endpoints

include/security.php

@@ -71,7 +71,8 @@ function authenticate_success($user_record, $channel = false, $login_initial = f
         // might want to log success here
     }
 
-    if ($_SESSION['2FA_REQUIRED'] && !$_SESSION['2FA_VERIFIED'] && App::$module !== 'totp_check') {
+    if ($_SESSION['2FA_REQUIRED'] && !$_SESSION['2FA_VERIFIED']
+        && !in_array(App::$module, ['totp_check', 'dav', 'cdav', 'api', 'addressbook', 'calendar'], true)) {
         goaway(z_root() . '/totp_check');
     }