fix(webauthn): drop large_blob_key from public Assertion model

Per review on #198: keep the per-credential largeBlobKey only on the
CTAP-level Ctap2GetAssertionResponse. Surfacing it on the public
Assertion struct gives callers a foot-gun to forward straight to the
RP, which is exactly the disclosure this PR is meant to prevent. The
follow-up authenticatorLargeBlobs PR (#206) can read the key directly
off the CTAP response.

Author: AlfioEmanueleFresta

libwebauthn/src/ops/webauthn/get_assertion.rs

@@ -405,7 +405,6 @@ pub struct Assertion {
     pub user: Option<Ctap2PublicKeyCredentialUserEntity>,
     pub credentials_count: Option<u32>,
     pub user_selected: Option<bool>,
-    pub large_blob_key: Option<Vec<u8>>,
     pub unsigned_extensions_output: Option<GetAssertionResponseUnsignedExtensions>,
     pub enterprise_attestation: Option<bool>,
     pub attestation_statement: Option<Ctap2AttestationStatement>,
@@ -815,7 +814,6 @@ mod tests {
             user: None,
             credentials_count: None,
             user_selected: None,
-            large_blob_key: None,
             unsigned_extensions_output: None,
             enterprise_attestation: None,
             attestation_statement: None,

libwebauthn/src/proto/ctap2/model/get_assertion.rs

@@ -493,7 +493,6 @@ impl Ctap2GetAssertionResponse {
             user: self.user,
             credentials_count: self.credentials_count,
             user_selected: self.user_selected,
-            large_blob_key: self.large_blob_key.map(ByteBuf::into_vec),
             unsigned_extensions_output,
             enterprise_attestation: self.enterprise_attestation,
             attestation_statement: self.attestation_statement,
@@ -680,9 +679,5 @@ mod tests {
             .expect("largeBlob extension output present");
 
         assert!(large_blob.blob.is_none());
-        assert_eq!(
-            assertion.large_blob_key.as_deref(),
-            Some(&device_returned_key[..])
-        );
     }
 }