Ask user to otp at webauthn verification url

[aellispierce]

NOTE: This is being merged into a feature branch, not main, so that work may continue to be developed in small pieces as we built out webauthn for the CLI

What was the end-user or developer problem that led to this PR?

Users with MFA enabled would like to use security devices (yubikey, touch id, etc) for logging in with WebAuthn on the CLI

What is your fix for the problem, implemented in this PR?

• For users with MFA enabled, we request a webauthn verification url from rubygems.org on sensitive actions (sign in, yank, push, add/remove owners).
• If the user does not have a webauthn device enabled, there is no change in the user interaction. The api would respond with a 403 and we would continue to ask for a regular OTP code as normal.
• For users that do have webauthn enabled, the api would respond with the webauthn verification url. Users would then verify at that link, receive an OTP code, and then input that here.
• This is just the first step, receiving the link and displaying it to users, the actual verification will happen in follow up PRs on the client and CLI.

.org feature branch: rubygems/rubygems.org#3298
Matching .org work: rubygems/rubygems.org#3305

Make sure the following tasks are checked

• Describe the problem / feature
• Write tests for features and bug fixes
• Write code to solve the problem
• Make sure you follow the current code style and write meaningful commit messages without tags

[jchestershopify]

Some small questions. No blockers though.

[aellispierce]

cc @simi for review

[jenshenny]

Looks good to me, just have a suggestion on the OTP prompt phrasing here: #6179 (comment)

[jenshenny]

For hosts that do not have webauthn / "api/v1/webauthn_verification" implemented yet, I'm guessing that there's not going to be a change in behaviour since this method would return nil.

[jchestershopify]

@simi any thoughts so far?

[indirect]

👍🏻