Describe the bug

After updating from 1.27.1 to 1.28.0 I can no longer auto-refresh using the process described in the documentation section User documentation > Refreshing feeds > Online cron.

To Reproduce

1. Deploy FreshRSS 1.27.1.
2. Setup "Online Cron" auto-refresh for feeds using "Master authentication token" for the test user with "Web Form authentication" as the authentication method.
3. Visit the Online Cron URL using a Private Mode tab or browser that is NOT logged into the FreshRSS instance and verify you get the "OK" output.
4. Update the FreshRSS deployment to 1.28.0.
5. Repeat the test in step 3 and note you get the FreshRSS 403 Forbidden page, requesting you login to proceed. PS: If the test is performed in a session that is already logged in to the FreshRSS instance the test will pass with "OK" output, but obviously the entire point of the Online Cron URL is to authenticate with the user and token parameters, not an existing cookie.
6. Revert the FreshRSS deployment to 1.27.1 and repeat the step 3 test. Note it now works again.

I've been using a request URL that looks as follows which worked with 1.27.1 and earlier, but stopped working after the 1.28.0 update:

https://freshrss.example.tld/i/?c=feed&a=actualize&ajax=1&user=Alice&token=SuperSecretToken

SuperSecretToken matches the "Master authentication token" for user Alice. Trying a simplified test token also fails.

Expected behavior

Version 1.28.0 should accept the user and token parameters as valid authentication to run the actualize feeds command when configuring Online Cron with Web Form authentication.

FreshRSS version

1.28.0

System information

Server:

• OS: FreeBSD 14.3
• Database version: MariaDB 10.11.14 mysqlnd 8.4.10
• PHP version: 8.4.10
• Installation type: zip file deployed to shared hosting provider webspace
• Web server type: Apache/2.4.63 (FreeBSD) mpm-itk/2.4.7-04

Clients:

• OS: Fedora Workstation 43
• Browser: Firefox 146.0

Additional context

There are two workarounds for affected users, but neither is ideal:

1. Downgrade FreshRSS to 1.27.1 until the bug is resolved.
2. Enable "Allow anonymous refresh of the articles" in FreshRSS Authentication settings. PS: This allows ANYONE that visits https://freshrss.example.tld/i/?c=feed&a=actualize&ajax=1 to trigger a feed refresh event without any further authentication which may not be desirable for your deployment. On the bright side the user and token parameters can remain configured in your online cron request URL as they'll just be ignored with this option enabled making it easy revert this change once a fix is found/released, simply deploy the fix and uncheck this box.