feat(auth): implement Android refresh token handling and session management

- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints.
- Implemented new tests for login, logout, and refresh functionalities specific to Android clients.
- Enhanced password reset logging with normalization and masking of email addresses.
- Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs.
- Introduced a new utility for managing password reset logs with retention policies.
- Added tests for password reset log utilities to ensure proper functionality and privacy compliance.
- Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.

server/api/auth/passkeys/register.post.js

@@ -37,17 +37,20 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 400, statusMessage: 'Registrierungs-Session abgelaufen. Bitte erneut versuchen.' })
   }
 
-  const { origin, rpId, requireUV } = getWebAuthnConfig()
+  const { origins, rpId, requireUV } = getWebAuthnConfig()
 
   let verification
   try {
     verification = await verifyRegistrationResponse({
       response,
       expectedChallenge,
-      expectedOrigin: origin,
+      expectedOrigin: origins,
       expectedRPID: rpId,
       requireUserVerification: requireUV
     })
+  } catch {
+    await writeAuditLog('auth.passkey.registration.failed', { userId: user.id, reason: 'verification_error' })
+    throw createError({ statusCode: 400, statusMessage: 'Passkey-Registrierung fehlgeschlagen' })
   } finally {
     clearRegistrationChallenge(user.id)
   }
@@ -103,4 +106,3 @@ export default defineEventHandler(async (event) => {
   return { success: true, message: 'Passkey hinzugefügt.' }
 })
 
-