More directly, you could use DiscourseConnect as a mechanism to validate users or out in front of your application, use discourse-auth-proxy.
These are suggested methods for authenticating users instead of handling login credentials directly. It also means you don’t need to try to handle 2FA details.