Improper rack-attack discriminator for `authenticated_packages_api` with a deploy token

🔥 Problem

We currently have several rack-attack throttles configured. One of them is throttle_authenticated_packages_api. When this throttle is triggered, the discriminator is the user_id.

That user_id comes from https://gitlab.com/gitlab-org/gitlab/-/blob/542ca3dcfd56e9e5581af62ff16b939c895ae097/lib/gitlab/rack_attack/request.rb#L14 which in turn will use https://gitlab.com/gitlab-org/gitlab/-/blob/542ca3dcfd56e9e5581af62ff16b939c895ae097/lib/gitlab/auth/request_authenticator.rb#L32.

The problem is that this function doesn't read deploy token objects.

The discriminator will thus be nil = the throttle evluation will be aborted = all packages api with deploy token will not be throttled.

The same problem was discovered for the dependency proxy routes in !71532 (merged)

🚒 Solution

The straightforward solution would be to update #find_sessionless_user so that it returns deploy tokens. Unfortunately, that function is used in rack-attack throttles and here: https://gitlab.com/gitlab-org/gitlab/-/blob/542ca3dcfd56e9e5581af62ff16b939c895ae097/app/controllers/concerns/sessionless_authentication.rb. That concern is used in several rails controller.

Given that impacting several rails controller at once is not a great idea, we will need an alternative.

Introduce #find_sessionless_user_or_deploy_token which uses #find_sessionless_user and upgrade it with finders for deploy tokens. Once we have that, the discriminator could be the object type + id. For example: user.23 or deploy_token.23. Using only the id will not work as we can have clashes between user ids and deploy token ids.