Add passkey (WebAuthn) authentication with self-registration

Enable users to sign up and sign in using passkeys (biometrics/security
keys) without needing a manually-created Authentik account. The existing
SSO login remains as an alternative.

Backend:
- Add WebAuthn registration/authentication endpoints via py-webauthn
- Issue HS256 JWTs for passkey users, with Redis-backed challenge storage
- Dual JWT verification in auth middleware (issuer-based routing: passkey
  HS256 vs Authentik RS256)
- PasskeyCredential model + migration making user.password nullable
- UserRepository with full CRUD for users and credentials

Frontend:
- AuthUser type abstraction unifying OIDC and passkey users
- Passkey service using @simplewebauthn/browser for WebAuthn ceremonies
- LoginModal redesigned with Sign In / Sign Up tabs
- Type migration from oidc-client-ts User to AuthUser across all services
  and components

crawler/.env.sample

@@ -30,3 +30,14 @@ RIGHTMOVE_CIRCUIT_BREAKER_TIMEOUT=60.0  # Seconds to wait before recovery attemp
 # Multiple schedules:
 # SCRAPE_SCHEDULES='[{"name":"RENT 2am","listing_type":"RENT","hour":"2"},{"name":"BUY 4am","listing_type":"BUY","hour":"4"}]'
 SCRAPE_SCHEDULES=
+
+# WebAuthn / Passkey configuration
+WEBAUTHN_RP_ID=localhost                     # Relying Party ID (domain)
+WEBAUTHN_RP_NAME=Wrongmove                   # Relying Party display name
+WEBAUTHN_ORIGIN=https://localhost             # Expected WebAuthn origin
+
+# JWT configuration (for passkey-issued tokens)
+JWT_SECRET=change-me-in-production           # HMAC secret for HS256 signing
+JWT_ALGORITHM=HS256                          # JWT signing algorithm
+JWT_EXPIRATION_HOURS=24                      # Token expiry in hours
+JWT_ISSUER=wrongmove                         # JWT issuer claim