Simplify authentication by retiring unnecessary methods

Description

GitLab has a range of authentication schemes:

• Native username + password -> cookie
• (many other things) -> cookie
• OAuth applications
• Personal access tokens
• Static "private token" stored per-user

There's a lot of overlap between use cases for these mechanisms in the frontend and API.

Proposal

Of all these schemes, the private token is the least useful and most vulnerable. As far as I can tell, the only use case it has at the moment is access to RSS feeds, along with the POST /session endpoint in the API.

I propose we introduce an automatic "issue a token" flow for RSS (we could even have one token per RSS feed), convert /session to something else, then retire private tokens entirely. This could be done in a backward-compatible way, or we could make it part of 9.0 for a clean break.

I don't understand the need to have separate "OAuth tokens" and "personal access tokens". If we could merge those two as well, that'd be great.

/cc @DouweM

Links / references

gitlab-ce#583