@spec add_credential(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) ::
  Plug.Conn.t()

Handle an add_credential request — attach a new credential to the authenticated user.

Requires an authenticated actor on the connection.

@spec add_credential_challenge(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) ::
  Plug.Conn.t()

Generate and return a registration challenge for adding a credential to the current user.

Requires an authenticated actor on the connection.

@spec authentication_challenge(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) ::
  Plug.Conn.t()

Generate and return an authentication challenge.

@spec register(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) ::
  Plug.Conn.t()

Handle a registration request.

@spec registration_challenge(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) ::
  Plug.Conn.t()

Generate and return a registration challenge.

@spec sign_in(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) :: Plug.Conn.t()

Handle an authentication request.

@spec sign_in_with_token(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) ::
  Plug.Conn.t()

Exchange a short-lived sign-in token for an authenticated session.

@spec verify(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) :: Plug.Conn.t()

Handle a second-factor verify request — confirm that the assertion was signed by one of the authenticated actor's credentials. On success the actor's :webauthn_verified_at metadata is stamped and a fresh token carrying the same value as a JWT claim is issued.

@spec verify_challenge(Plug.Conn.t(), AshAuthentication.Strategy.WebAuthn.t()) ::
  Plug.Conn.t()

Generate and return a verification (second-factor) challenge.

Requires an authenticated actor on the connection. The actor's existing credentials are listed as allow_credentials so the browser only offers those.