Check permission to read a package when return packages from multiple projects

🔥 Context

In !111775 (merged) we added the changes to look for the package in multiple projects that have the same root namespace.

There is a security concern because we only check the :read_package permission for one project that has the last package’s version: https://gitlab.com/gitlab-org/gitlab/-/blob/c18627af6abc0952f5fd99822d7457a5d357b8b6/lib/api/concerns/packages/npm_endpoints.rb#L196 while potentially return the packages from multiple projects.

🚒 Solution

Luckily the changes are still behind the feature flag that's not rolled out at this moment.

We need to return only packages from those projects that user has :read_package permission for.

Additionally we have to check amount of the authorized packages (an user has read_package permission on the project that a package belongs to). In case there were the origin packages, but none the authorized, then raise 403.