The docs for the Rocket.Chat realtime API Ruqola is using unfortunately don't include handling of 2FA-enabled accounts. Login actually seems to succeed because only a 403 error code is handled when in fact totp-required is returned as a response. It's worth noting codes can apparently be both numeric and strings.
A peek at the iOS client revealed how a login message needs to be constructed. Unlike the login method of the REST API endpoint the code isn't just added to the top-level.
On the UI side of things, an additional Code input needs to be shown in the login page.