@spec add_credential(AshAuthentication.Strategy.WebAuthn.t(), map(), keyword()) ::
  {:ok, Ash.Resource.record()} | {:error, any()}

Add a new WebAuthn credential to an existing user.

This is used when a user wants to register an additional security key or passkey. Unlike register/3, this does NOT create a new user - it attaches a credential to an existing one.

Params should include:

• "attestation_object" - Base64url-encoded attestation object from the browser
• "client_data_json" - Base64url-encoded client data JSON from the browser
• "label" - Optional human-readable label for the credential

Options must include:

• challenge: - The Wax.Challenge used for this ceremony
• user: - The existing user to attach the credential to

@spec authentication_challenge(AshAuthentication.Strategy.WebAuthn.t(), list(), any()) ::
  {:ok, Wax.Challenge.t()}

Generate an authentication challenge.

@spec delete_credential(
  AshAuthentication.Strategy.WebAuthn.t(),
  Ash.Resource.record(),
  any(),
  keyword()
) :: :ok | {:error, any()}

Delete a credential, refusing to delete the last one.

@spec list_credentials(
  AshAuthentication.Strategy.WebAuthn.t(),
  Ash.Resource.record(),
  keyword()
) ::
  {:ok, [Ash.Resource.record()]} | {:error, any()}

List all credentials for a user.

@spec register(AshAuthentication.Strategy.WebAuthn.t(), map(), keyword()) ::
  {:ok, Ash.Resource.record()} | {:error, any()}

Register a new user with a WebAuthn credential.

@spec registration_challenge(AshAuthentication.Strategy.WebAuthn.t(), any()) ::
  {:ok, Wax.Challenge.t()}

Generate a registration challenge.

@spec sign_in(AshAuthentication.Strategy.WebAuthn.t(), map(), keyword()) ::
  {:ok, Ash.Resource.record()} | {:error, any()}

Sign in a user with a WebAuthn credential.

@spec update_credential_label(
  AshAuthentication.Strategy.WebAuthn.t(),
  any(),
  String.t(),
  keyword()
) ::
  {:ok, Ash.Resource.record()} | {:error, any()}

Update the label of a credential.