fix(webauthn): SessionData empty values through json

Using the candidate json/v2 encoder
https://github.com/go-json-experiment/json SessionData doesn't
roundtrip properly through json as an empty []byte is encoded as "".
Mark compatible fields as omitempty, and use len(field) == 0 instead of
nil checks to be more resilient.

webauthn/login.go

@@ -211,11 +211,11 @@ func (webauthn *WebAuthn) ValidateDiscoverableLogin(handler DiscoverableUserHand
 
 // ValidatePasskeyLogin is an overloaded version of ValidateLogin that allows for passkey credentials.
 func (webauthn *WebAuthn) ValidatePasskeyLogin(handler DiscoverableUserHandler, session SessionData, parsedResponse *protocol.ParsedCredentialAssertionData) (user User, credential *Credential, err error) {
-	if session.UserID != nil {
+	if len(session.UserID) != 0 {
 		return nil, nil, protocol.ErrBadRequest.WithDetails("Session was not initiated as a client-side discoverable login")
 	}
 
-	if parsedResponse.Response.UserHandle == nil {
+	if len(parsedResponse.Response.UserHandle) == 0 {
 		return nil, nil, protocol.ErrBadRequest.WithDetails("Client-side Discoverable Assertion was attempted with a blank User Handle")
 	}
 

webauthn/types.go

@@ -203,9 +203,9 @@ type User interface {
 // SessionData is the data that should be stored by the Relying Party for the duration of the web authentication
 // ceremony.
 type SessionData struct {
-	Challenge            string    `json:"challenge"`
-	RelyingPartyID       string    `json:"rpId"`
-	UserID               []byte    `json:"user_id"`
+	Challenge            string    `json:"challenge,omitempty"`
+	RelyingPartyID       string    `json:"rpId,omitempty"`
+	UserID               []byte    `json:"user_id,omitempty"`
 	AllowedCredentialIDs [][]byte  `json:"allowed_credentials,omitempty"`
 	Expires              time.Time `json:"expires"`