increment failed login count on unsuccesful webauthn login

this doesn't include timeouts or other errors on the browser side - the
main thing this catches is if the token doesn't belong to the user.
However I'm not entirely clear if that's something that will be caught
at this point, or if the browser would reject that key as it's not in
the credentials passed in to the begin_authentication process.

app/main/views/webauthn_credentials.py

@@ -119,7 +119,7 @@ def _complete_webauthn_authentication(user):
     except ValueError as exc:
         current_app.logger.info(f'User {user.id} could not sign in using their webauthn token - {exc}')
         flash('Security key not recognised')
-        # TODO: increment failed login count
+        user.verify_webauthn_login(is_successful=False)
         abort(403)
 
 

tests/app/main/views/test_webauthn_credentials.py

@@ -282,6 +282,7 @@ def test_complete_authentication_403s_if_key_isnt_in_users_credentials(
     # user has no keys in the database
     mocker.patch('app.user_api_client.get_webauthn_credentials_for_user', return_value=[])
     mock_verify_webauthn_login = mocker.patch('app.main.views.webauthn_credentials._verify_webauthn_login')
+    mock_unsuccesful_login_api_call = mocker.patch('app.user_api_client.verify_webauthn_login')
 
     response = client.post(url_for('main.webauthn_complete_authentication'), data=webauthn_authentication_post_data)
     assert response.status_code == 403
@@ -294,6 +295,8 @@ def test_complete_authentication_403s_if_key_isnt_in_users_credentials(
         assert 'webauthn_authentication_state' not in session
 
     assert mock_verify_webauthn_login.called is False
+    # make sure we incremented the failed login count
+    mock_unsuccesful_login_api_call.assert_called_once_with(platform_admin_user['id'], False)
 
 
 def test_complete_authentication_clears_session(