Add a client setting around UV boolean on preferred

[Progdrasil]

Suggestion(follow-up): So this would put uv = true on preferred and required. This may not be true for other providers, they may want to do UV only on required for example. This should be a setting on the client that can be enabled. Not a blocking issue for this PR, I'm mainly adding this to create a follow-up issue about it.

Originally posted by @Progdrasil in #22 (comment)

[coroiu]

Wouldn't this be against the spec?

https://www.w3.org/TR/webauthn-3/#sctn-createCredential

[Progdrasil]

Yes, however the operation should not fail if UV was not performed and the preference is "preferred". In practice its also been interpreted as "up to the client".

The thing is, I personally think this enum should have been passed to the authenticator directly and let the authenticator decide. I could have done that in this library but decided to follow CTAP which sets this as a boolean.

[coroiu]

I personally think this enum should have been passed to the authenticator directly and let the authenticator decide

That's exactly how we've implemented it, we're setting aside value before calling the client and then use it in a wrapper around our own UserValidationMethod

[Progdrasil]

As a way to keep CTAP interface compatibility, we could implement this as an authenticator extension. We'll be bringing PRs soon adding extension infrastructure