Backport of UI: allow retries for MFA form errors into release/1.17.x

[hc-github-team-secure-vault-core]

Backport

This PR is auto-generated from #27574 to be assessed for backporting due to the inclusion of the label backport/1.17.x.

The below text is copied from the body of the original PR.

---

🛠️ Description

Fixes a bug where the MFA form wasn't displaying an error message nor countdown when a user tried to enter an incorrect one-time password too many times.
Fixes JIRA ticket # VAULT-28437

📸 Screenshots

Before (notice missing error banner)

After (error banner & countdown shown, button disabled)

🏗️ How to Build and Test the Change

To replicate this you'll need to set up MFA and a userpass user. I recommend having two browser windows open: one for the root user and one for a userpass user.

1. Create a policy test with all privileges (so the user can eventually enable MFA on their login):

path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

2. Enable the userpass auth method
3. Create a user with the test policy
4. In the left sidebar, click "Multi-factor authentication"
5. Select TOTP and 'next'
6. Fill out Vault as the issuer (though it doesn't really matter). Enter 2 as the max validation attempts. Under Enforcements select "skip this step".
7. Click create.
8. Copy the MFA id from the URL. Ex 60c04ac9-943b-79f6-f466-e1f1d2c2fe19 in mfa/methods/60c04ac9-943b-79f6-f466-e1f1d2c2fe19
9. In an incognito window, go login as the user you created in step 3.
10. Once you're logged in, click "MFA" from the user dropdown. Paste in the MFA id from step 8.
11. Save the QR code in 1password as a one-time-password.
12. Back in your root user window, create a new enforcement.
13. Enter a name (is can be anything), and select TOTP. from the MFA methods search. Under targets, select "userpass". Click add to add it to the list of targets.
14. Now, back in your incognito, log out and try to log in again as your userpass user. You should be taken to the MFA form.
15. Enter an incorrect OTP. You should see an error.
16. Enter an incorrect OTP 3 more times. You should see the countdown, an error indicating that you have tried too many times and must wait, and the button should be disabled.
17. The error should disappear after the countdown is finished.
18. Entering a correct OTP should allow you to log in.

TODO only if you're a HashiCorp employee

• Labels: If this PR is the CE portion of an ENT change, and that ENT change is
  getting backported to N-2, use the new style backport/ent/x.x.x+ent labels
  instead of the old style backport/x.x.x labels.
• Labels: If this PR is a CE only change, it can only be backported to N, so use
  the normal backport/x.x.x label (there should be only 1).
• ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
  of a public function, even if that change is in a CE file, double check that
  applying the patch for this PR to the ENT repo and running tests doesn't
  break any tests. Sometimes ENT only tests rely on public functions in CE
  files.
• Jira: If this change has an associated Jira, it's referenced either
  in the PR description, commit message, or branch name.
• RFC: If this change has an associated RFC, please link it in the description.
• ENT PR: If this change has an associated ENT PR, please link it in the
  description. Also, make sure the changelog is in this PR, not in your ENT PR.

---

Overview of commits

• aa828f1

[github-actions]

Build Results:
All builds succeeded! ✅

[github-actions]

CI Results:
All Go tests succeeded! ✅