feat: collect metrics for totp out of sync (#18981)

Similar to invalid codes, collect metrics about sync issue to aid with
impact analysis.

Refs: #14710

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

Author: miketheman

tests/unit/accounts/test_services.py

@@ -634,6 +634,24 @@ def test_check_totp_value_reused(self, user_service):
 
         assert not user_service.check_totp_value(user.id, b"123456")
 
+    def test_check_totp_out_of_sync(self, mocker, metrics, user_service):
+        user = UserFactory.create()
+        mocker.patch.object(otp, "verify_totp", side_effect=otp.OutOfSyncTOTPError)
+
+        with pytest.raises(otp.OutOfSyncTOTPError):
+            user_service.check_totp_value(user.id, b"123456")
+
+        assert metrics.increment.calls == [
+            pretend.call(
+                "warehouse.authentication.two_factor.start",
+                tags=["mechanism:check_totp_value"],
+            ),
+            pretend.call(
+                "warehouse.authentication.two_factor.failure",
+                tags=["mechanism:check_totp_value", "failure_reason:out_of_sync"],
+            ),
+        ]
+
     def test_check_totp_value_no_secret(self, user_service):
         user = UserFactory.create()
         with pytest.raises(otp.InvalidTOTPError):

warehouse/accounts/services.py

@@ -504,6 +504,13 @@ def check_totp_value(self, user_id, totp_value, *, tags=None):
         try:
             if not (valid := otp.verify_totp(totp_secret, totp_value)):
                 self._hit_2fa_ratelimits(userid=user_id)
+        except otp.OutOfSyncTOTPError:
+            self._metrics.increment(
+                "warehouse.authentication.two_factor.failure",
+                tags=tags + ["failure_reason:out_of_sync"],
+            )
+            self._hit_2fa_ratelimits(userid=user_id)
+            raise otp.OutOfSyncTOTPError
         except otp.InvalidTOTPError:
             self._metrics.increment(
                 "warehouse.authentication.two_factor.failure",