Add Demonstrating Proof of Possession (DPoP) for Personal Access Tokens

What does this MR do and why?

This MR initiates the implementation of sender-constrained access tokens designed to minimise the risk of token leaks. I am putting this feature behind a feature flag.

Related to Sender constraining personal access tokens (#425130).

How to set up and validate locally

Currently this feature works only for RSA keys. Support for other algorithms will be added later.

For frontend:

1. Checkout this branch locally.
2. Run bin/rails db:migrate
3. In rails console, enable the feature flag: Feature.enable(:dpop_authentication, User.first)
4. Login as root.
5. Go to Settings > Access tokens > Toggle the DPoP option.
6. Confirm it persists in the database User.first.dpop_enabled and also on the frontend on refreshing the page.

For backend:

1. Build glab from this branch.
2. Ensure DPoP is enabled following the steps above.
3. Ensure you have an SSH key-pair setup with the public key uploaded to your user account. Ensure that the key type is saved as "Signing" or "Authentication and Signing".
4. Using glab generate a DPoP header: bin/glab auth dpop-gen --pat "glpat-PAT" --private-key ~.ssh/id_rsa
5. Use the generated header to make an HTTP API request: curl http://localhost:3000/api/v4/projects --header "Private-Token: glpat-PAT" --header "DPoP: <GLAB OUTPUT HERE>"
6. Confirm valid response is received. Confirm that the request fails without a valid DPoP header.

lib/gitlab/auth/auth_finders.rb

@@ -224,20 +224,18 @@ def validate_dpop_header_count
       end
 
       def convert_to_pem_key(key)
-        begin
-          tmp_file = Tempfile.new('openssh_key')
-          tmp_file.write(key)
-          tmp_file.rewind
-          tmp_file.close
+        tmp_file = Tempfile.new('openssh_key')
+        tmp_file.write(key)
+        tmp_file.rewind
+        tmp_file.close
 
-          result = Gitlab::Popen.popen(%W[ssh-keygen -e -m PEM -f #{tmp_file.path}])[0]
+        result = Gitlab::Popen.popen(%W[ssh-keygen -e -m PEM -f #{tmp_file.path}])[0]
 
-          OpenSSL::PKey.read(result)
-        rescue => e
+        OpenSSL::PKey.read(result)
+        rescue => e # rubocop:disable Style/RescueStandardError -- this is to rescue any OpenSSL errors
           raise DpopValidationError, "Unable to convert to PEM: #{e}"
         ensure
           tmp_file.unlink
-        end
       end
 
       # This returns a deploy token, not a user since a deploy token does not