Fix WebauthN issue with Software Keys

The check if the token used was a known valid token also checked if it needed to be updated.
This check caused always caused an issue with tokens which do not need or want to be updated.

Since the cred_ids are already checked and deemed valid we only need to check if there is an updated needed.
Their already is a function for this `update_credential`, which returns `Some(true)` if this was the case.
So, only update the records if that is the case, else do not update anything.

Also, used constant time compare to check and validate the cred_id's.

Fixes #6154

Signed-off-by: BlackDex <black.dex@gmail.com>

src/api/core/two_factor/webauthn.rs

@@ -4,6 +4,7 @@ use crate::{
         EmptyResult, JsonResult, PasswordOrOtpData,
     },
     auth::Headers,
+    crypto::ct_eq,
     db::{
         models::{EventType, TwoFactor, TwoFactorType, UserId},
         DbConn,
@@ -434,12 +435,14 @@ pub async fn validate_webauthn_login(
     let authentication_result = webauthn.finish_securitykey_authentication(&rsp, &state)?;
 
     for reg in &mut registrations {
-        if reg.credential.cred_id() == authentication_result.cred_id() && authentication_result.needs_update() {
-            reg.credential.update_credential(&authentication_result);
-
-            TwoFactor::new(user_id.clone(), TwoFactorType::Webauthn, serde_json::to_string(&registrations)?)
-                .save(conn)
-                .await?;
+        if ct_eq(reg.credential.cred_id(), authentication_result.cred_id()) {
+            // If the cred id matches and the credential is updated, Some(true) is returned
+            // In those cases, update the record, else leave it alone
+            if reg.credential.update_credential(&authentication_result) == Some(true) {
+                TwoFactor::new(user_id.clone(), TwoFactorType::Webauthn, serde_json::to_string(&registrations)?)
+                    .save(conn)
+                    .await?;
+            }
             return Ok(());
         }
     }