Make warden available across entire application

This will be required to use warden for our SCIM endpoints as well,
which are implemented in rails controllers. Since Rails controllers do
not support mounting rack middlewares partially (the way that e.g. Grape does),
the mounting of warden needed to be moved.

This was not super straight-forward, because of load order issues:

* Requiring a Rails middleware must be done before initialization finished
* Our warden config was so far done _after_ initialization
* static_routes were defined in lib, which is automatically reloaded,
  but auto-reloading code is not allowed during initialization
    * lib_static which is autoloaded_once is fine during init,
      this is also where the rest of warden authentication is defined

Additionally warden was configured to not handle HTTP 401 responses generated
by the upstream app itself. Warden will only be responsible for its own authentication
failures and it's still possible to invoke the warden failure app by throwing the :warden
symbol, but the application keeps its capability of responding with custom 401 responses.

Author: NobodysNightmare

config/initializers/warden.rb

@@ -1,27 +1,31 @@
-Rails.application.config.after_initialize do
-  namespace = OpenProject::Authentication::Strategies::Warden
+# frozen_string_literal: true
 
-  strategies = [
-    [:basic_auth_failure, namespace::BasicAuthFailure,  "Basic"],
-    [:global_basic_auth,  namespace::GlobalBasicAuth,   "Basic"],
-    [:user_basic_auth,    namespace::UserBasicAuth,     "Basic"],
-    [:oauth,              namespace::DoorkeeperOAuth,   "Bearer"],
-    [:anonymous_fallback, namespace::AnonymousFallback, "Basic"],
-    [:jwt_oidc,           namespace::JwtOidc,           "Bearer"],
-    [:session,            namespace::Session,           "Session"]
-  ]
+namespace = OpenProject::Authentication::Strategies::Warden
 
-  strategies.each do |name, clazz, auth_scheme|
-    OpenProject::Authentication.add_strategy(name, clazz, auth_scheme)
-  end
+strategies = [
+  [:basic_auth_failure, namespace::BasicAuthFailure,  "Basic"],
+  [:global_basic_auth,  namespace::GlobalBasicAuth,   "Basic"],
+  [:user_basic_auth,    namespace::UserBasicAuth,     "Basic"],
+  [:oauth,              namespace::DoorkeeperOAuth,   "Bearer"],
+  [:anonymous_fallback, namespace::AnonymousFallback, "Basic"],
+  [:jwt_oidc,           namespace::JwtOidc,           "Bearer"],
+  [:session,            namespace::Session,           "Session"]
+]
 
-  OpenProject::Authentication.update_strategies(OpenProject::Authentication::Scope::API_V3, { store: false }) do |_|
-    %i[global_basic_auth
-       user_basic_auth
-       basic_auth_failure
-       oauth
-       jwt_oidc
-       session
-       anonymous_fallback]
-  end
+strategies.each do |name, clazz, auth_scheme|
+  OpenProject::Authentication.add_strategy(name, clazz, auth_scheme)
+end
+
+OpenProject::Authentication.update_strategies(OpenProject::Authentication::Scope::API_V3, { store: false }) do |_|
+  %i[global_basic_auth
+     user_basic_auth
+     basic_auth_failure
+     oauth
+     jwt_oidc
+     session
+     anonymous_fallback]
+end
+
+Rails.application.configure do |app|
+  app.config.middleware.use OpenProject::Authentication::Manager, intercept_401: false
 end

lib/api/root_api.rb

@@ -44,8 +44,6 @@ class RootAPI < Grape::API
 
     content_type :json, "application/json; charset=utf-8"
 
-    use OpenProject::Authentication::Manager
-
     helpers API::Caching::Helpers
     module Helpers
       include ::API::Helpers::RaiseQueryErrors

lib/open_project/static_routing.rb renamed to lib_static/open_project/static_routing.rb

@@ -213,7 +213,7 @@ class Engine < ::Rails::Engine
       Mime::Type.register "application/octet-stream", :bcfzip unless Mime::Type.lookup_by_extension(:bcfzip)
     end
 
-    config.to_prepare do
+    config.before_initialize do
       Doorkeeper.configuration.scopes.add(:bcf_v2_1)
 
       unless defined? OpenProject::Authentication::Scope::BCF_V2_1