Pros and Cons of begin-activate and begin-assertion calls rather than embedded JSON in the template

[Natim]

django_u2f was embedding the JSON payload to initiate the connection within the HTML of the login form.

When we switched the webauthn, we decided to go with an API call that return a JSON response with the payload.

The main drawback is to have this API call, one more request. The benefit are multiple:

• Remove bugs due to writting JSON inside a HTML tag, we have JSON in a JSON response so we don't need any magic to load it.
• It gives fresh data, in crypto signature are often signed with a timestamp that can expire, here the data is as fresh as possible, we don't need to worry about people trying to login after a while with errors due to the fact that the payload signature expired or their session expired.

I wanted to document the discussion we had about that explaining why we chose to go with this new strategy rather than the one previously picked by django_u2f.

[Natim]

Also this helps to handle multiple keys.