Add logging and metrics for PAT scope enforcement in Dependency Proxy

Background

We are planning to enforce proper scope checking for PATs accessing the Dependency Proxy (requiring read_registry and write_registry scopes). Before implementing this breaking change, we need data on potential impact.

Proposal

Add monitoring capabilities to measure how many requests would be affected by PAT scope enforcement:

1. Logging Enhancement:

   • Add logs to track authentication attempts where PATs lack required scopes
   • Logs should only appear for tokens missing read_registry or write_registry scopes
   • Include relevant metadata (e.g., group ID, request type) while respecting privacy

2. Metrics Collection:

   • Implement counter metrics to track:
     • Total authentication attempts
     • Authentication attempts with insufficient scopes
   • Calculate rejection rate percentage

Expected Outcomes

• Quantitative data on % of requests that would be rejected
• Understanding of actual usage patterns
• Informed decision-making for rollout strategy

Implementation Notes

• Logs should be temporary and focused only on scope validation
• Metric collection should be non-intrusive
• Consider sampling if volume is high
• See logging done for Container Registry here

Related Issues

• Parent issue: #426887 (Deprecation notice)