Push id.ai credentials at the end for 1.0 RP ID calculation

[lmuntaner]

Motivation

We are seeing problems when users log in 1.0 after upgrading their identity.

Context:

• During the upgrade, a new passkey is created in id.ai.
• During 1.0 authentication, II needs to choose a RP ID to fetch the credentials. It uses the RP of the last used passkey.
• This means that the new passkey created during the upgrade will be used to authenticate in 1.0. This was initially considered a feature, not a bug.

The problem comes when users don't know where passkeys are stored. Therefore, the passkey that they use to authenticate in 1.0 is not in the same place where they upgraded. Which triggers a new UX for the user that confuses them because they were used to a different UX.

For example, we saw a user that had the passkey in 1.0 in iCloud. They were used to authenticate with the fingerprint right after clicking the identity number in 1.0. However, during the upgrade, they passkey was created in their Google Password Manager. Next time they went to authenticate in 1.0, the WebAuthn browser modal showed a modal to choose that passkey, instead of requesting the fingerprint immediately. That confused the user.

We have seen other similar reports in the forum of users having problems after upgrading.

Changes

This pull request updates the logic for ordering WebAuthn flows in findWebAuthnFlows to ensure that devices registered on "new flow" origins are moved to the end of the list, while preserving their relative order. It also adds corresponding tests to verify this behavior.

• The findWebAuthnFlows function now sorts devices so those registered on origins listed in canisterConfig.new_flow_origins are placed at the end, preserving the relative order within each group. This is implemented using a custom sort function.
• Duplicates in the RP IDs list are removed after sorting with reduce instead of relying on Set, maintaining the order.

Tests

• A new test verifies that RP IDs from new_flow_origins are pushed to the end of the flows, maintaining the relative order of devices.
• Mocks for canisterConfig are added in the test setup to simulate the presence of new_flow_origins.

[Copilot]

Pull Request Overview

This PR modifies WebAuthn flow ordering to improve the 1.0 authentication experience after identity upgrades by ensuring that credentials from "new flow" origins (like id.ai) are prioritized last when determining which RP ID to use for authentication.

• Updates findWebAuthnFlows function to sort devices so those registered on new flow origins are moved to the end
• Replaces Set-based duplicate removal with reduce method to maintain order
• Adds comprehensive tests to verify the new ordering behavior

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
src/frontend/src/lib/utils/findWebAuthnFlows.ts	Implements custom sorting logic to push new flow origin devices to end and replaces duplicate removal method
src/frontend/src/lib/utils/findWebAuthnFlows.test.ts	Adds test case and mock configuration to verify new flow origins are ordered last
src/frontend/src/lib/utils/iiConnection.test.ts	Adds test case and mock configuration to verify login behavior with new flow origins

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}