Consider validating length of credential_id

Credential ID's coming in `exclude_credentials` and `allow_credentials` have a limit in the webauthn standard of [1023](https://w3c.github.io/webauthn/#credential-id) bytes long. We should consider strictly validating the length of those fields. 