[Feature Request]: Allow authenticatorSelection to be configured (and maybe consider changing the default)

[airjp73]

Hi!

I've been setting up webauthn for my project and I ran into an issue I thought was worth bringing up. There seems to be a bit of a mismatch between some of the documentation and the registration implementation. I'm still new to webauthn though, so I could totally be wrong here!

Mismatch

Currently, handleFormSubmit has a hardcoded configuration for authenticatorSelection that is configured with residentKey: "discouraged". However, the readme section about authentication documents that:

The user requests authentication, and the browser shows the available passkeys for the domain.

These two things don't quite match up. By setting residentKey: "discouraged", it allows the encourages the client device to create non-discoverable credentials. And non-discoverable credentials are not available when user tries to authenticate unless you specify allowCredentials (by passing a user to generateOptions). But if the user isn't logged in, you don't have access to the user yet, meaning the user won't have access to their non-discoverable credentials.

One workaround is to have the user enter the username, then return the list of authenticators. But, if you have to tell an unauthenticated client about what authenticators a user has set up, then it starts to feel unsuitable as a primary login method, and better-suited for 2FA.

Proposed changes

It seems having the default value for authenticatorSelection include residentKey: "preferred" would result in the smoothest setup without needing to know a ton about webauthn.

Either way, I think it would be useful to be able to customize authenticatorSelection. For my use-case I'm comfortable sticking with only discoverable credentials and want to tweak those settings.

I'm happy to make a quick PR if you agree that this is a reasonable change. 😄