Add notification email on invalid second authenticator

[ClearlyClaire]

While reviewing our second factor authentication security, I realized that while we had appropriate rate-limiting and logging of authentication failures, we actually never notified the user of those failures, meaning they would be unlikely to notice such attempts.

This PR addresses that by sending a mail as soon as a 2FA attempt fails. Mails are limited to one per hour to avoid spamming in case of an attack or multiple failures.

To further reduce spam, this should not be triggered immediately, but after a few minutes without a successful log-in, as failing to enter a TOTP token correctly on time is not that unusual. However, that would be more work, and I think this change is a worthwhile security improvement.

[codecov]

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (3593ee2) 85.07% compared to head (4686bd9) 85.08%.
Report is 1 commits behind head on main.

❗ Current head 4686bd9 differs from pull request most recent head 0e6401f. Consider uploading reports for the commit 0e6401f to get more accurate results

Files	Patch %	Lines
app/controllers/auth/sessions_controller.rb	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #28822   +/-   ##
=======================================
  Coverage   85.07%   85.08%           
=======================================
  Files        1038     1038           
  Lines       28142    28152   +10     
  Branches     4532     4533    +1     
=======================================
+ Hits        23943    23952    +9     
  Misses       3039     3039           
- Partials     1160     1161    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[kmycode]

@ClearlyClaire

mastodon/app/controllers/auth/sessions_controller.rb

Line 186 in 0e6401f

return if redis.set("2fa_failure_notification:#{user.id}", '1', ex: 1.hour, get: true).present?

The get option was added to the set command in Redis 6.2.0 and later.
Two-step verification may not work properly with Redis prior to 6.

Am I correct in understanding that we are raising the minimum version of Redis in Mastodon from 4 to 6?

Ref: https://redis.io/commands/set/

Starting with Redis version 6.2.0: Added the GET, EXAT and PXAT option.
Starting with Redis version 7.0.0: Allowed the NX and GET options to be used together.

README.md is not updated.

### Requirements

- **PostgreSQL** 12+
- **Redis** 4+
- **Ruby** 2.7+
- **Node.js** 16+
- ```

[ClearlyClaire]

Good catch, I missed the fact this bumped the requirements… Redis 5 has been EOL for a while, so I believe it should be safe to bump the version requirement, but that indeed needs to be documented! Thanks!

EDIT: that being said, distributions like Ubuntu 20.04, which are not EOL yet, still distribute Redis 5… I'll see if I can rewrite this in a way that does not require something more recent than Redis 5