feat: add WebAuthn (Passkey) Authentication Support

[ashupednekar]

User Story

As a developer using GoBetterAuth,
I want to support secure passwordless authentication using WebAuthn (passkeys / security keys),
So that users can authenticate using phishing-resistant, modern authenticators such as Touch ID, Face ID, Windows Hello, or hardware security keys.

---

Motivation

WebAuthn has become a first-class authentication mechanism across modern browsers and operating systems. Supporting it in GoBetterAuth enables:

• Passwordless and phishing-resistant authentication
• Improved UX through biometrics and device-bound passkeys
• Alignment with modern security standards (FIDO2)

This should be an optional authentication method, not a replacement for existing flows such as password or magic-link authentication.

---

Proposed Design

1. WebAuthn Library

Use an existing Go WebAuthn implementation, for example:

• github.com/go-webauthn/webauthn

This library already handles:

• Challenge generation
• Credential parsing and verification
• Signature counter management
• WebAuthn specification compliance

---

2. Database Model

Introduce a webauthn_credentials table / model.

Example fields:

• id
• user_id
• credential_id
• public_key
• sign_count
• transports
• created_at
• last_used_at

Persistence options:

• GORM (reference implementation)
• sqlc (optional alternative)
• Custom storage via interface

---

3. API Endpoints

Suggested framework-agnostic HTTP endpoints:

• POST /auth/webauthn/register/begin
• POST /auth/webauthn/register/finish
• POST /auth/webauthn/login/begin
• POST /auth/webauthn/login/finish

Flow:

• register/begin → generate challenge and credential options
• register/finish → verify attestation and persist credential
• login/begin → generate assertion challenge
• login/finish → verify assertion and authenticate user

---

4. Framework Scope

• Use net/http for handlers (no Gin dependency)
• Middleware-agnostic
• Storage and session/token issuance should integrate cleanly with existing GoBetterAuth abstractions

---

5. Reference Implementation

A similar WebAuthn implementation approach can be seen here:

• https://github.com/ashupednekar/litewebservices-portal/

This repository demonstrates:

• WebAuthn registration and login flows
• net/http-based handlers
• Clean separation between transport, auth logic, and persistence

The GoBetterAuth implementation can follow a similar structure while adapting to:

• GoBetterAuth’s user model
• Session / token issuance
• Plugin-style extensibility (if applicable)

---

Open Questions

• Should WebAuthn live as:
  • A first-party plugin?
  • Or an optional core module?
• Should WebAuthn support:
  • Login-only as an additional factor?
  • WebAuthn-only accounts without passwords?
• Should multiple credentials per user be supported? (recommended)

---

Acceptance Criteria

• WebAuthn registration flow implemented
• WebAuthn login flow implemented
• Credential persistence abstraction
• net/http handlers with no framework lock-in
• Documentation and example usage
• Compatibility with existing GoBetterAuth auth flows

[m-t-a97]

@ashupednekar , thanks for the very nice detailed breakdown of this! I'll look into this soon.

Just to note, this would be developed as a plugin.