A CSRF-like request-token handling has been introduced, to
mitigate potential cross-site requests on actions with side-effects.
This approach does not require an existing server-side user session,
but uses a nonce (number used once) as a "pre-session". The main scope
is to ensure a user actually has visited a page, before submitting
data to the web server.

Introduces package https://packagist.org/packages/firebase/php-jwt
> composer req firebase/php-jwt

Besides that, AbstractUserAuthentication has been changed to require
this introduced request-token, to mitigate Login CSRF attacks.

The security enhancement potentially break custom login templates
and application handlers - this is why it is introduced and enforced
for TYPO3 v12.0.

Resolves: #97305
Releases: main
Change-Id: I74d9e1890017aae4a00999f549ea04716d68f721
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74183


Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>