Add Demonstrating Proof of Possession (DPoP) for Personal Access Tokens

What does this MR do and why?

This MR initiates the implementation of sender-constrained access tokens designed to minimise the risk of token leaks. I am putting this feature behind a feature flag.

Related to Sender constraining personal access tokens (#425130).

How to set up and validate locally

Currently this feature works only for RSA keys. Support for other algorithms will be added later.

For frontend:

1. Checkout this branch locally.
2. Run bin/rails db:migrate
3. In rails console, enable the feature flag: Feature.enable(:dpop_authentication, User.first)
4. Login as root.
5. Go to Settings > Access tokens > Toggle the DPoP option.
6. Confirm it persists in the database User.first.dpop_enabled and also on the frontend on refreshing the page.

For backend:

1. Build glab from this branch.
2. Ensure DPoP is enabled following the steps above.
3. Ensure you have an SSH key-pair setup with the public key uploaded to your user account. Ensure that the key type is saved as "Signing" or "Authentication and Signing".
4. Using glab generate a DPoP header: bin/glab auth dpop-gen --pat "glpat-PAT" --private-key ~.ssh/id_rsa
5. Use the generated header to make an HTTP API request: curl http://localhost:3000/api/v4/projects --header "Private-Token: glpat-PAT" --header "DPoP: <GLAB OUTPUT HERE>"
6. Confirm valid response is received. Confirm that the request fails without a valid DPoP header.