[BUGFIX] Add safeguard in case normalizedParams are missing

With #100885 the availability of the normalizedParams request attribute
became a requirement for user sessions initialized with a custom PSR-7
request. Extensions like EXT:container relied on the fact that a plain
request object could be passed to `Bootstrap::initializeBackendUser()`.

This will be fixed in EXT:container[1] but in case other extensions
relied on this as well, a fallback is now provided.

[1] b13/container#461

Resolves: #102520
Related: #100885
Releases: main, 12.4
Change-Id: Idbf5a6b3d72ecab4a9943d7bb2febf41fa4b6635
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81969
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

Classes/Session/UserSessionManager.php

@@ -23,6 +23,7 @@
 use TYPO3\CMS\Core\Authentication\IpLocker;
 use TYPO3\CMS\Core\Crypto\Random;
 use TYPO3\CMS\Core\Http\CookieScopeTrait;
+use TYPO3\CMS\Core\Http\NormalizedParams;
 use TYPO3\CMS\Core\Session\Backend\Exception\SessionNotFoundException;
 use TYPO3\CMS\Core\Session\Backend\SessionBackendInterface;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
@@ -95,7 +96,7 @@ public function createFromRequestOrAnonymous(ServerRequestInterface $request, st
     {
         try {
             $cookieValue = (string)($request->getCookieParams()[$cookieName] ?? '');
-            $scope = $this->getCookieScope($request->getAttribute('normalizedParams'));
+            $scope = $this->getCookieScope($request->getAttribute('normalizedParams') ?? NormalizedParams::createFromRequest($request));
             $sessionId = UserSession::resolveIdentifierFromJwt($cookieValue, $scope);
         } catch (\Exception $exception) {
             $this->logger->debug('Could not resolve session identifier from JWT', ['exception' => $exception]);