Implement server-side WebAuthn passkey registration and authentication ceremonies

Verified steps

1. For registration: generate a PublicKeyCredentialCreationOptions object server-side including a cryptographically random challenge, relying party info (id and name), user info (id, name, displayName), and pubKeyCredParams listing acceptable algorithms.
2. Send the options to the client; the browser calls navigator.credentials.create() and returns an AuthenticatorAttestationResponse; POST the credential id, attestation object, and client data JSON back to your server.
3. Verify the registration server-side: parse and validate the clientDataJSON (check type, challenge, and origin), verify the attestation object, extract the public key and credential id, and store them associated with the user.
4. For authentication: generate a new random challenge and a PublicKeyCredentialRequestOptions including allowCredentials listing the user's stored credential ids; send to the client.
5. The client calls navigator.credentials.get(); the authenticator signs the challenge and returns an AuthenticatorAssertionResponse; POST it to your server.
6. Verify the assertion server-side: validate clientDataJSON, verify the authenticatorData flags (user presence, user verification as required), verify the signature against the stored public key, and increment the stored signature counter to detect cloned authenticators.