Move user-specific ext.php into normal FreshRSS controller

`ext.php` should be limited to files not requiring login.
We need to move user-specific functionality to a normal controller to check that we are serving a file from the proper user.

Security regression from https://github.com/FreshRSS/FreshRSS/issues/3433
Partial fix https://github.com/FreshRSS/FreshRSS/pull/4928