GraphQL token authentication should skip session based SSO enforcement

Problem

When using SSO enforcement it is not possible to use token authentication to access the GraphQL endpoint. This prevents use of the API from scripts outside the browser.

Steps to reproduce

1. Create a group and enable SSO enforcement
2. Attempt a graphQL query that tries to access subresources of that group. For example with curl:

curl 'https://gitlab.com/api/graphql' --header "Authorization: Bearer $GRAPHQL_TOKEN" --header "Content-Type: application/json" -X POST -d"{\"query\": \"query {group(fullPath: \\\"sso-test\\\"){id}}\"}"

Actual result

{"data":{"group":null}}

Expected result

This can be reproduced by disabling SSO enforcement

{"data":{"group":{"id":"gid://gitlab/Group/57"}}}

Possible workarounds

Using cookie based authentication with a session that has signed in with SAML is expected to work.

Possible fixes

We could bypass the enforcement check by adding skip_around_action :set_session_storage in GraphqlController. However that would also bypass the check for cookie based authentication such as from the graphql-explorer, so we may want to consider making that conditional on the authentication type.

We should make sure that our tests include this scenario in our fix, so we prevent this from becoming an issue in the future.