[TASK] Avoid backend.user request attribute

The user authentication classes are still pretty messy.
A subset of properties and information of backend user
state is intitialized by middlewares and set as aspect
to the context object.

However, we do not want to add the entire backend user
as $request attribute object, to not surface another usage
of this object. Instead, it is set as $GLOBALS['BE_USER']
throughout the core, which will eventually vanish at
some point, by being substituted by something better.

ext:reactions currently violates this. The patch sets
$GLOBALS['BE_USER'], consuming reactions should retrieve
it from there if needed, just like any other backend
related class does it currently.

FormProtectionFactory had a similar flaw, it accessed
the attribute even though no middleware ever set this.

Finally, .phpstorm.meta.php is cleaned up, to not
declare this request attribute any longer.

Change-Id: Iae4c48a1ccc41f7aeebdf753f9cae6515bb5f9e5
Resolves: #99751
Releases: main
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77638


Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>