Support WebAuthn sign in

[davidje13]

This is mostly a client concern, but some server-side support will be needed for generating challenges.

Need to understand the create-account / login flows better;

• https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
• https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create
• https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get
• https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/preventSilentAccess
• https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse

What is the challenge for in the create step? Seems to be focused on adding credentials to an existing account, but here we can consider it creating a new account with the new credentials. In this case, maybe the challenge is superfluous?

Server needs to be able to generate input params for the calls:

const options = await fetch('/auth/webauthn').then((r) => r.json());
let key = await navigator.credentials.get({ publicKey: { challenge: new UInt8Array(options.challenge) } });
if (!key) {
  key = await navigator.credentials.create(options.create);
  await fetch('/auth/webauthn', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ key: key.response.attestationObject }), // is clientDataJSON needed?
    // ...
  });
}
// we now (possibly) have a key which we can use to respond to a server challenge to exchange for a JWT

{
  "challenge": [0, 0, 0, 0, 0, ..., 0],
  "create": {
    "publicKey": {
      "rp": {},
      "user": {},
      "pubKeyCredParams": [],
    }
  }
}

The intended WebAuthn flow is still unclear; is the expected flow to create first (but with excludeCredentials somehow?) then always use the same get call with data and a challenge to perform the JWT exchange?