FIX mark a successful login attempt when completing a password reset

[wilr]

Description

See issue #10100

Manual testing steps

• Lock yourself out of a site (5 password fails)
• Reset your password via 'Forgot Password'
• Password reset fails as user is 'Locked out'

Issues

• isLockedOut, Forgot Password flow and LoginAttempts table creates a confusing user experience #10100

Pull request checklist

• The target branch is correct
  • See picking the right version
• All commits are relevant to the purpose of the PR (e.g. no debug statements, unrelated refactoring, or arbitrary linting)
  • Small amounts of additional linting are usually okay, but if it makes it hard to concentrate on the relevant changes, ask for the unrelated changes to be reverted, and submitted as a separate PR.
• The commit messages follow our commit message guidelines
• The PR follows our contribution guidelines
• Code changes follow our coding conventions
• This change is covered with tests (or tests aren't necessary for this change)
• Any relevant User Help/Developer documentation is updated; for impactful changes, information is added to the changelog for the intended release
• CI is green

[GuySartorelli]

Sorry it's taken so long to review this.

Looks sensible to me, but it should be conditional against Security::config()>get('login_recording') - see MemberAuthenticator::recordLoginAttempt()

[wilr]

@GuySartorelli Looking at that, if you make it conditional then you would still hit the issue if you had login_recording set to false, but lock_out_after_incorrect_logins set to true.

[GuySartorelli]

I'm okay with it being conditional against both of those, if that's the case. Though my understanding is that this bug can't happen if login_recording is set to false, because it won't be writing any login attempt records at all.

[wilr]

@GuySartorelli updated accordingly!

[GuySartorelli]

LGTM. Thanks for making that change so quickly.