Add AllowedApplicationOrigin environment variable for non url origins

[RobHarveyDev]

Issue #: N/A

Description of changes:
Adds a new environment variable and logic for handling origins that are not proper URLs (such as those used by Android apps).

The reason for this change is due to android apps sending android:apk-key-hash:some_hash instead of a URL. Currently the origin passed by the client is converted to a URL object which will fail with non-url origins. This behaviour is explained in the webauthn spec here

A web application with a companion native application might allow origin to be an operating system dependent identifier for the native application. For example, such a Relying Party might require that origin exactly equals some element of the list ["https://example.org", "example-os:appid:204ffa1a5af110ac483f131a1bef8a841a7adb0d8d135908bbd964ed05d2653b"].

This PR aims to avoid changing the current behaviour with allowedOrigins and adds this as an extra feature.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[RobHarveyDev]

We have tested this by deploying the change to our own staging environment and adding a passkey from an android device

[ottokruse]

Thanks for this PR!
We are all just back from a very hectic re:Invent week, so bear with us please while we have a closer look.

[ottokruse]

Pushed a naming nitpick. Also removed the new URL(origin).origin and just did origin now, should also work and the former felt funny looking at it.

[ottokruse]

Published to npm in v0.12.0