V14/fix/cookie breaking installer (#16993)

* Do not run authentication if Umbraco is not ready for it. Fail instead.

* Fix breaking change

* Spelling + code style :)

---------

Co-authored-by: kjac <kja@umbraco.dk>

src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeDefaultController.cs

@@ -1,19 +1,37 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.DependencyInjection;
 using Umbraco.Cms.Core;
+using Umbraco.Cms.Core.DependencyInjection;
+using Umbraco.Cms.Core.Services;
 using Umbraco.Extensions;
 
 namespace Umbraco.Cms.Api.Management.Controllers.Security;
 
 public class BackOfficeDefaultController : Controller
 {
+    private readonly IRuntime _umbracoRuntime;
+
+    [ActivatorUtilitiesConstructor]
+    public BackOfficeDefaultController(IRuntime umbracoRuntime)
+        => _umbracoRuntime = umbracoRuntime;
+
+    [Obsolete("Use the non obsoleted constructor instead. Scheduled to be removed in v17")]
+    public BackOfficeDefaultController()
+        : this(StaticServiceProvider.Instance.GetRequiredService<IRuntime>())
+    {
+    }
+
     [HttpGet]
     [AllowAnonymous]
     public async Task<IActionResult> Index(CancellationToken cancellationToken)
     {
         // force authentication to occur since this is not an authorized endpoint
-        AuthenticateResult result = await this.AuthenticateBackOfficeAsync();
+        // a user can not be authenticated if no users have been created yet, or the user repository is unavailable
+        AuthenticateResult result = _umbracoRuntime.State.Level < RuntimeLevel.Upgrade
+            ? AuthenticateResult.Fail("RuntimeLevel " + _umbracoRuntime.State.Level + " does not support authentication")
+            : await this.AuthenticateBackOfficeAsync();
 
         // if we are not authenticated then we need to redirect to the login page
         if (!result.Succeeded)