fix(webauthn): validate discoverable login with handle = nil

[Daedaluz]

I ran into an issue while trying to use the credentials over the phone where the signed response does not contain a user handle.

Digging into this, I found https://w3c.github.io/webauthn/#user-handle

Discoverable credentials store this identifier and MUST return it as response.userHandle in authentication ceremonies started with an empty allowCredentials argument.

and

The main use of the user handle is to identify the user account in such authentication ceremonies, but the credential ID could be used instead.

I suppose this means that the user handle can be absent in case the ceremony is started with specific allowed credentials?

Seems like there has been some relvant discussions here and here

The implementation should then, at least

if len(session.AllowedCredentialIDs) > 0 {
    ...
}

Or perhaps save the intended user handle in session with the help of another LoginOption and in ValidateDiscoverableLogin just use the handle from the session (if present), as the whole issue seems to be about indexing?

In any case, to me, it looks like it's valid with a UserHandle == nil response.

To add, apparently, I could not use the phone to do login with no AllowedCredentials specified from some reason which i don't fully understand yet (Yubikey works fine though).

Edit:
The credentials for the RP just wasn't listed by default having AllowedCredentials = nil. There was another button more options -> this device that listed the usable credentials.