Add WebAuthn/Passkey authentication support

Implements passwordless passkey login alongside the existing
email/password flow. Passkeys provide phishing-resistant,
multi-factor authentication (device + biometric) and bypass
TOTP 2FA when used.

Closes #3363

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: florida117

backend/internal/token.js

@@ -5,6 +5,7 @@ import authModel from "../models/auth.js";
 import TokenModel from "../models/token.js";
 import userModel from "../models/user.js";
 import twoFactor from "./2fa.js";
+import webauthn from "./webauthn.js";
 
 const ERROR_MESSAGE_INVALID_AUTH = "Invalid email or password";
 const ERROR_MESSAGE_INVALID_AUTH_I18N = "error.invalid-auth";
@@ -210,6 +211,39 @@ export default {
 		};
 	},
 
+	/**
+	 * Verify passkey authentication and return full token
+	 * @param {string} challengeToken
+	 * @param {Object} credential
+	 * @param {string} [expiry]
+	 * @returns {Promise}
+	 */
+	getTokenFromPasskey: async (challengeToken, credential, expiry) => {
+		const Token = TokenModel();
+		const tokenExpiry = expiry || "1d";
+
+		const userId = await webauthn.verifyAuthentication(challengeToken, credential);
+
+		const expiryDate = parseDatePeriod(tokenExpiry);
+		if (expiryDate === null) {
+			throw new errs.AuthError(`Invalid expiry time: ${tokenExpiry}`);
+		}
+
+		const signed = await Token.create({
+			iss: "api",
+			attrs: {
+				id: userId,
+			},
+			scope: ["user"],
+			expiresIn: tokenExpiry,
+		});
+
+		return {
+			token: signed.token,
+			expires: expiryDate.toISOString(),
+		};
+	},
+
 	/**
 	 * @param   {Object} user
 	 * @returns {Promise}