feat(auth): add WebAuthn MFA credentials (#1628)

* feat(auth): add WebAuthn MFA credentials

* fix(auth): harden WebAuthn MFA review paths

* fix(auth): polish WebAuthn error handling

* fix(auth): handle duplicate WebAuthn credential races

* fix(auth): permit WebAuthn credential params

* fix(auth): trim WebAuthn registration controller cleanup

* fix(auth): tighten WebAuthn MFA handling

* fix(auth): pin WebAuthn relying party config

app/controllers/concerns/webauthn_relying_party.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module WebauthnRelyingParty
+  extend ActiveSupport::Concern
+
+  private
+    def webauthn_relying_party
+      webauthn_config = Rails.application.config.x.webauthn
+
+      WebAuthn::RelyingParty.new(
+        name: "Sure",
+        id: webauthn_config.rp_id,
+        allowed_origins: webauthn_config.allowed_origins,
+        # Accept consumer passkeys/security keys without attesting device vendor
+        # identity; this keeps MFA registration broad for self-hosted users.
+        verify_attestation_statement: false
+      )
+    end
+
+    def webauthn_credential_payload
+      payload = params.require(:credential)
+      payload = JSON.parse(payload) if payload.is_a?(String)
+
+      payload = payload.to_unsafe_h if payload.respond_to?(:to_unsafe_h)
+      raise ActionController::BadRequest, "credential must be an object" unless payload.is_a?(Hash)
+
+      payload
+    rescue JSON::ParserError, TypeError, ArgumentError
+      raise ActionController::BadRequest, "invalid credential payload"
+    end
+end