Modernize login

[jrauh01]

This PR replaces the legacy Zend-based login form and authentication controller with their ipl equivalents, and extracts the login page view script markup into a reusable widget.

Convert LoginForm to CompatForm

LoginForm now extends CompatForm, replacing init()/createElements() with __construct()/assemble() and Zend decorator arrays with inline ipl decorator objects. The CsrfCounterMeasure and FormUid traits are added.

getRedirectUrl() is renamed to createRedirectUrl() to avoid overriding CompatForm::getRedirectUrl(), using hasBeenAssembled instead of $this->created and str_contains() instead of strpos(). onSuccess() is rewritten for the CompatForm lifecycle: void return, explicit setRedirectUrl() call, Icinga::app()->getResponse() instead of $this->getResponse(), and addMessage() instead of addError().

New LoginPage widget to replace view script

Extracts the login page structure (logo, footer, social links, decorative orbs) from login.phtml into a new LoginPage widget extending HtmlDocument, so the markup is defined in one place and no longer lives in a view script. Additional login buttons provided by LoginButtonHook are now grouped in a div.login-buttons flex container, rendered only when buttons are actually present.

Convert AuthenticationController to CompatController

AuthenticationController now extends CompatController, dropping login.phtml in favour of LoginPage and addContent(). The form is built with an ON_SUBMIT handler for the redirect and an ON_REQUEST handler delegating to LoginForm::onRequest(). Uses $this->getServerRequest() instead of ServerRequest::fromGlobals().

CSS / JS fixes

• login.less:
  • height: 100% -> 100vh on #login (now a grandchild of #layout via .content)
  • .login-buttons styled as a flex column with a row gap and top margin
  • per-li error styling, including spacing inside .login-buttons
  • .icinga-form width and control-group spacing
  • align-items: center on .remember-me-box
  • label margin-right reset for the disabled-state description
• history.js: #layout > #login -> #layout #login (direct-child selector broke with the new nesting)
• login-orbs.less: fixes long-standing typo #orb-notifactions -> #orb-notifications

resolve #5495

[Copilot]

Pull request overview

This PR modernizes the login flow by migrating the legacy Zend-based login view/controller/form to ipl/compat equivalents and consolidating the login page markup into a reusable widget, with related CSS/JS adjustments.

Changes:

• Replace the Zend LoginForm with an ipl CompatForm implementation and adapt login handling to the compat lifecycle.
• Replace the legacy login.phtml view script with a new LoginPage widget used by a CompatController-based AuthenticationController.
• Update login-related CSS/JS selectors and styles, including spacing for additional login buttons and a typo fix in orb IDs.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
public/js/icinga/history.js	Adjusts the login selector used during onload redirect handling for the new nesting.
public/css/icinga/login.less	Updates layout and spacing for the new login markup and added login buttons container.
public/css/icinga/login-orbs.less	Fixes the orb ID typo to match the updated markup (orb-notifications).
library/Icinga/Web/Widget/LoginPage.php	Introduces a widget encapsulating the full login page structure (form, footer, social links, orbs).
application/views/scripts/authentication/login.phtml	Removes the legacy view script in favor of the widget-based rendering.
application/forms/Authentication/LoginForm.php	Migrates the login form to CompatForm, adds CSRF/UID, and updates success/error handling.
application/controllers/AuthenticationController.php	Migrates controller to CompatController and renders LoginPage instead of a view script.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lippserd]

Replace LoginButtonForm::ON_SUCCESS with ON_SUBMIT
(AuthenticationController.php:131)

ON_SUCCESS is a deprecated alias for ON_SUBMIT in ipl-html. It still
works, but it is inconsistent with how the main login form's event is wired
on the lines just above it.

---

Verify or remove the $this->controls = new HtmlDocument() workaround
(AuthenticationController.php:144-145)

The comment says this suppresses the tab bar, but setTitle() does not add
any tabs to the controls object. Controls::isEmpty() would therefore
already return true without this replacement. If runtime testing confirms
the tab bar does not appear without it, remove the assignment. If it is
needed, fix the PHPStan type violation (Controls property assigned a
HtmlDocument) and update the comment to name the framework path that
populates controls on the login page. The type mismatch is a new PHPStan
error not yet in the baseline.

---

Add an Errors decorator to the username element
(LoginForm.php, assemble())

The password and rememberme elements both include an Errors decorator
so their validation messages render. username has only RenderElement and
ControlGroup, so a server-side required-field error on that field is
silently discarded. HTML5 validation can be disabled by the browser or
bypassed entirely with curl or similar tools, which means the server must
handle and display validation errors for every field. Add an Errors
decorator to username to match the other fields.

---

Add rel="noopener noreferrer" to the social link anchors
(LoginPage.php, assembleSocialLinks())

Both the Facebook and GitHub links open in a new tab (target="_blank")
without this attribute. Without it, the opened page can access
window.opener and navigate the login page away (tabnabbing). Add
'rel' => 'noopener noreferrer' to the attributes of both anchors.

---

Add a summary line to the LoginPage constructor docblock
(LoginPage.php:49)

The constructor docblock contains only @param tags. The PHPDoc convention
requires a summary line as the first line; for constructors it reads
Create a new LoginPage.

---

Add docblocks to onSuccess() and onRequest()
(LoginForm.php:135,197)

Both methods are non-trivial override points with side effects: onSuccess()
calls setRerenderLayout() and sets the redirect URL; onRequest() detects
external-only authentication and surfaces a warning. Neither has a docblock.

---

Simplify the error margin shorthand
(login.less:59)

margin: 1em 0 1em 0; has identical top and bottom values and identical
left and right values. Write it as margin: 1em 0;.

[jrauh01]

@lippserd I have fully implemented your requested list. Additionally I rebased on main and changed the following:

LoginForm.php:

• REDIRECT_URL constant made public
• Summary line and @throws HttpBadRequestException explanation added to createRedirectUrl() docblock
• Docblock added to __construct()
• Superfluous inline comment before onError() call removed
• ControlGroup decorator arrays replaced with typed HtmlTagDecorator instances
• Unused Database trait removed
• Placeholder exception message 'nope' replaced with 'Redirect to an external host is not allowed'

AuthenticationController.php:

• $_ parameter in the ON_REQUEST callback typed as ServerRequestInterface

LoginPage.php:

• Constructor property promotion applied
• empty($loginButtons) check replaced with strict $loginButtons !== []

[jrauh01]

Rebased on main and squashed the commits. Ready to merge now.

[moreamazingnick]

@lippserd Do you have a releasedate for icingaweb2 2.14.0, I think this might brake my oidc implementation
Best Regards
Nicolas