Add a user preference for enabling the DPoP feature per User

Nick Malcolmrequested to merge
425130-add-dpop-user-preference into master

What does this MR do and why?

Demonstrating Proof-of-Possession (DPoP) is a new feature under development (#425130 (closed)) which mitigates the impact of leaked tokens. See the issue for more detail. See also the DPoP Architectural Blueprint

This commit adds:

  • a column to the User Preferences table to toggle this feature on a per-user basis
  • the appropriate method to the UserPreference model, ensuring the value is a boolean
  • delegation methods for access via a User record

This changeset derived from an older MR proposed and reviewed at !148175 (closed).

Subsequent MRs will deliver further backend, frontend, and API changes.

Differences to the original MR

  • migration milestone updated
  • I noticed that user.rb wasn't delegating the setter method, which was in contrast to all the other delegations (e.g. :timezone, :timezone=,). Added that.
  • I noticed that we weren't testing for, nor assigning, a non-null value when that was passed to the setter. So I copied the UserPreference pattern of setting it to the table default when value.nil?.

Subsequent MRs will deliver further backend, frontend, and API changes.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

N/A - this is just a DB & small model change.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Related to #425130 (closed)

Merge request reports