Because:
- On Windows, requesting the WebAuthn PRF extension with an empty eval
(prf: {}) makes Windows Hello reject passkey registration with
UnknownError.
This commit:
- adds a static base64url PRF salt to the passkey config
(PASSKEYS__PRF_SALT, default ''); registration options now send
prf.eval.first only when PRF is enabled and a salt is configured, and
omit the prf extension entirely otherwise.
- adds a client-side silent retry without PRF when registration fails
with a PRF-attributable unexpected error; the retry reuses the abort
signal so a user cancel or timeout never re-prompts, and is bounded to
the remaining timeout budget so the two attempts never exceed a single
timeout window (aligned with the server-side challenge TTL).
- enables requestPrfAtRegistration with a dummy local salt in the dev
auth-server config so local testing exercises the salted PRF path.
Issue: FXA-13991