Client supplied extension data is treated as trusted

[SaphireLattice]

AuthenticatorAssertionRawResponse checks for AppID extension, but it uses the copy supplied by the client as JSON/etc from JS Credential.getClientExtensionResults(), without checking that it is the same data as supplied in AuthenticatorData.

This data should be sourced directly from AuthenticatorData CBOR, rather than relying on the client to supply the matching data, and the relevant properties should be removed from AuthenticatorAssertionRawResponse

[abergs]

Thank you for submitting this issue. Is AppID really encoded as part of the authdata? I thought it was a client only extension, but my memory may serve me wrong.