Let existing WebAuthn users continue using it

It's not a big deal if a user is no longer eligible to register a
security key, so we may as well let them continue using it. This
avoids putting them in a limbo state if we don't immediately change
their auth type when they're no longer eligible to use the feature.

app/models.py

@@ -145,6 +145,9 @@ class User(db.Model):
         if self.platform_admin:
             return True
 
+        if self.auth_type == 'webauthn_auth':
+            return True
+
         return any(
             str(service.organisation_id) == current_app.config['BROADCAST_ORGANISATION_ID'] or
             str(service.id) == current_app.config['NOTIFY_SERVICE_ID']

tests/app/test_model.py

@@ -344,11 +344,21 @@ def test_template_folder_is_parent(sample_service):
 
 
 @pytest.mark.parametrize('is_platform_admin', (False, True))
-def test_user_can_use_webauthn_returns_false(sample_user, is_platform_admin):
+def test_user_can_use_webauthn_if_platform_admin(sample_user, is_platform_admin):
     sample_user.platform_admin = is_platform_admin
     assert sample_user.can_use_webauthn == is_platform_admin
 
 
+@pytest.mark.parametrize(('auth_type', 'can_use_webauthn'), [
+    ('email_auth', False),
+    ('sms_auth', False),
+    ('webauthn_auth', True)
+])
+def test_user_can_use_webauthn_if_they_login_with_it(sample_user, auth_type, can_use_webauthn):
+    sample_user.auth_type = auth_type
+    assert sample_user.can_use_webauthn == can_use_webauthn
+
+
 def test_user_can_use_webauthn_if_in_broadcast_org(sample_broadcast_service):
     assert sample_broadcast_service.users[0].can_use_webauthn