feat: introduce verify factor endpoint

[paolodamico]

Introduces a /v1/verify-factor endpoint (and related challenge endpoints) which lets a user authenticate with a main factor and validate only the authorization of the Main factor. This is useful in order for the client to verify a particular factor is still properly authorized for a backup (similar to /v1/retrieve-from-challenge) but without retrieving the full backup to avoid the additional overhead everywhere.

@tomislavhoman @TinJukic-Flabbergast

---

Note

Medium Risk
Adds new authentication endpoints and a new challenge context, so mistakes could affect factor verification or allow misuse if context/scope checks regress; coverage is strong via integration tests and Attestation Gateway enforcement.

Overview
Adds a new "verify factor" flow that lets clients authenticate a main factor and receive only the associated backupId, avoiding full backup retrieval.

Introduces ChallengeContext::VerifyFactor plus three new routes: /v1/verify-factor/challenge/passkey, /v1/verify-factor/challenge/keypair, and /v1/verify-factor (protected by Attestation Gateway). Adds integration tests covering passkey and EC keypair success paths and key failures (invalid token/context, nonexistent or sync factor, missing/invalid attestation token) and asserting no backup payload is returned.

^{Written by Cursor Bugbot for commit 4ea3723. This will update automatically on new commits. Configure here.}

[paolodamico]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep them coming!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[aurel-fr]

lgtm, test coverage is extensive