Correctly handle denied access in the firewall

[aschempp]

This now fixes and improves a lot of things 🙈

1. Fixes the authentication system to correctly render the Contao login page even if the current route is not a Contao page (e.g. a custom controller)
2. Fixes the ContaoLoginAuthenticator from rendering the wrong page for login (if the user is not fully authenticated).
3. Fixes the remember me authentication system (see Drop the custom "remember me" implementation #6815)
4. Adds an AccessDeniedHandler to render the 403 page via the firewall exception handler
5. Correctly enforces fully authentication for changing personal data, changing the user password and configuring two-factor authentication
6. Removes the ExceptionConverter and PrettyErrorScreen from rendering 401 and 403 pages, because these are rendered by the firewall

There are two "behaviour changes" I can think of

• obviously the fully-authentication works and is now enforces as described in point 4
• If no 401 or 403 pages are configured in root page, we now render the generic error (through the pretty error screen listener) instead of the generic Symfony 401/403 message. Since we are in Contao frontend scope, I think that should be fine.

TODO:

• Needs a migration for existing RememberMe tokens (the migration tool cannot migrate binary data to string value because the binary data is null-padded and therefore longer than the new string field).

[Toflar]

Sure needs some manual testing which I currently don't have the time for but from a logical standpoint, the code looks good to me.

[leofeyer]

The code works fine, however, on the 401 page, I can log in as a different user now. Shouldn‘t we remove the username field in this case?

[aschempp]

You are right. Username field removed in 9dc8d9e

I also manually tested the two-factor authentication, which was bumpy even for the regular login 🙈

[leofeyer]

Thank you @aschempp.