feat: Ensure passkeys cannot have duplicate pubkeys (#3626)

<!-- Make sure you talk to us before submitting changes. See
CONTRIBUTING.md. -->

# Motivation

This PR enforces that public keys are unique for all (newly added)
passkeys.

The enforcement happens by maintaining a new stable index
`passkey_public_key -> anchor_number` (for consistency w.r.t. the
previously added `recovery_key_principal -> anchor_number` index). While
registering a new passkey, this PR adds a precondition that enforces
that it's not already present in that index, and then the index is
extended with the public key of a passkey that is successfully
registered.

For existing passkeys, the index will be populated for all passkeys of
all anchors in an arbitrary order. This means there might already be
duplicate passkey public keys in II, and those will be kept, but new
duplicates will not be allowed. This is reasonable, as existing
duplicates are out of scope of the current threat model.

# Changes

* Added new stable index `lookup_anchor_with_passkey_pubkey_hash_memory`
to track passkey public keys
* Added validation checks in all device registration flows to prevent
(new) duplicate passkey public keys
* Introduced new error variants across API layers to handle duplicate
public key scenarios

# Tests

Added tests to cover all passkey-based device creation flows:

1.
`should_enforce_unique_passkey_pubkeys_and_free_them_on_change_and_remove`
2. `should_enforce_unique_passkey_pubkeys_in_registration_mode_flows`
3. `should_enforce_unique_passkey_pubkeys_in_legacy_flows`

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: sea-snake <104725312+sea-snake@users.noreply.github.com>
Co-authored-by: sea-snake <sea-snake@outlook.com>

Author: 3 people

package-lock.json

@@ -114,6 +114,7 @@ export const idlFactory = ({ IDL }) => {
   const AddTentativeDeviceResponse = IDL.Variant({
     'device_registration_mode_off' : IDL.Null,
     'another_device_tentatively_added' : IDL.Null,
+    'passkey_with_this_public_key_is_already_used' : IDL.Null,
     'added_tentatively' : IDL.Record({
       'verification_code' : IDL.Text,
       'device_registration_timeout' : Timestamp,
@@ -177,6 +178,7 @@ export const idlFactory = ({ IDL }) => {
     'expiration' : Timestamp,
   });
   const AuthnMethodRegisterError = IDL.Variant({
+    'PasskeyWithThisPublicKeyIsAlreadyUsed' : IDL.Null,
     'RegistrationModeOff' : IDL.Null,
     'RegistrationAlreadyInProgress' : IDL.Null,
     'NotSelfAuthenticating' : IDL.Principal,
@@ -190,12 +192,14 @@ export const idlFactory = ({ IDL }) => {
     'Unauthorized' : IDL.Principal,
   });
   const AuthnMethodRegistrationModeExitError = IDL.Variant({
+    'PasskeyWithThisPublicKeyIsAlreadyUsed' : IDL.Null,
     'InternalCanisterError' : IDL.Text,
     'RegistrationModeOff' : IDL.Null,
     'Unauthorized' : IDL.Principal,
     'InvalidMetadata' : IDL.Text,
   });
   const AuthnMethodReplaceError = IDL.Variant({
+    'PasskeyWithThisPublicKeyIsAlreadyUsed' : IDL.Null,
     'AuthnMethodNotFound' : IDL.Null,
     'InvalidMetadata' : IDL.Text,
   });