Enforcing Timeouts in webauthn-rs

[smessmer]

Is your feature request related to a problem? Please describe. webauthn-rs currently does not enforce timeouts besides adding them to the challenge json, which means developers using the library have to make sure they check for timeouts themselves to prevent security issues where old challenges come back to haunt them. Not a big issue for us, we did add that code, but this seems like a potential security pitfall for developers. It might help some developers if webauthn-rs enforced the timeout on the server side.

Describe the solution you'd like PasskeyAuthentication and PasskeyRegistration could remember when they were created, and the timeout would be enforced when the flow finishes.

Describe alternatives you've considered Having developers using webauthn-rs check timeouts in their code. Works, but could be a security issue if they forget.

[Firstyear]

I think that's reasonable. The challenge will be doing this in a way that's stable so we likely need to store the time relative to unix epoch in the reg/auth parts. This would likely be a change to webauthn-rs-core infact rather than webauthn-rs so it fixes it for all users.