Add DPoP checks in GraphQL and API requests

What does this MR do and why?

See Sender constraining personal access tokens (#425130) for more context. This MR makes use of the backend DPoP checks that are introduced in Parse and validate DPoP Tokens (!166206 - merged).

How to set up and validate locally

1. In rails console, enable the feature flag for the user you are going to be testing the feature with:

Feature.enable(:dpop_authentication, User.find(1))

2. Using the rails console, enable DPoP for the user :

UserPreferences::UpdateService.new(User.find(1), {dpop_enabled: true}).execute

3. Ensure you have an SSH key-pair setup with the public key uploaded to your user account. Ensure that the key type is saved as "Signing" or "Authentication and Signing".
4. Build glab from this branch.
5. Using glab generate a DPoP header: bin/glab auth dpop-gen --pat "<glpat-PAT>" --private-key ~/.ssh/id_rsa
6. Use the generated header to make an HTTP API request eg.: curl http://localhost:3000/api/v4/projects --header "Private-Token: <glpat-PAT>" --header "DPoP: <GLAB OUTPUT HERE>"
7. Confirm valid response is received. Confirm that the request fails without a valid DPoP header.
8. Repeat and confirm for GraphQL requests, e.g. curl -X POST -H "Content-Type: application/json" -H "Private-Token: <glpat-PAT>" -H "DPoP: <GLAB OUTPUT HERE>" -d '{ "query": "query { currentUser { id } }" }' "http://localhost:3000/api/graphql"
9. Confirm that the server responds with accurate error messages related to the failing DPoP check (eg. signature expired, JWT invalid, etc.).

spec/controllers/graphql_controller_spec.rb

@@ -551,45 +551,67 @@
       end
     end
 
-    context 'when DPoP is disabled' do
-      let(:user) { create(:user, last_activity_on: last_activity_on) }
-      let(:personal_access_token) { create(:personal_access_token, user: user, scopes: [:api]) }
-
-      it 'does not check for DPoP token' do
-        post :execute, params: { access_token: personal_access_token.token }
-        expect(response).to have_gitlab_http_status(:ok)
-      end
-    end
+    describe 'DPoP authentication' do
+      context 'when :dpop_authentication FF is disabled' do
+        let(:user) { create(:user, last_activity_on: last_activity_on) }
+        let(:personal_access_token) { create(:personal_access_token, user: user, scopes: [:api]) }
 
-    context 'when DPoP is enabled' do
-      let_it_be(:user) { create(:user, last_activity_on: last_activity_on, dpop_enabled: true) }
-      let_it_be(:personal_access_token) { create(:personal_access_token, user: user, scopes: [:api]) }
-      let_it_be(:dpop_proof) { generate_dpop_proof_for(user) }
+        it 'does not check for DPoP token' do
+          stub_feature_flags(dpop_authentication: false)
 
-      context 'with a missing DPoP token' do
-        it 'returns 401' do
           post :execute, params: { access_token: personal_access_token.token }
-          expect(response).to have_gitlab_http_status(:unauthorized)
-          expect(json_response["errors"][0]["message"]).to eq("DPoP validation error: DPoP header is missing")
+          expect(response).to have_gitlab_http_status(:ok)
         end
       end
 
-      context 'with a valid DPoP token' do
-        it 'returns 200' do
-          request.headers["dpop"] = dpop_proof.proof
-          post :execute, params: { access_token: personal_access_token.token }
-          expect(response).to have_gitlab_http_status(:ok)
+      context 'when :dpop_authentication FF is enabled' do
+        before do
+          stub_feature_flags(dpop_authentication: true)
         end
-      end
 
-      context 'with a malformed DPoP token' do
-        it 'returns 401' do
-          request.headers["dpop"] = "invalid"
-          post :execute, params: { access_token: personal_access_token.token }
-          # rubocop:disable Layout/LineLength -- We need the entire error message
-          expect(json_response["errors"][0]["message"]).to eq("DPoP validation error: Malformed JWT, unable to decode. Not enough or too many segments")
-          # rubocop:enable Layout/LineLength
-          expect(response).to have_gitlab_http_status(:unauthorized)
+        context 'when DPoP is disabled for the user' do
+          let(:user) { create(:user, last_activity_on: last_activity_on) }
+          let(:personal_access_token) { create(:personal_access_token, user: user, scopes: [:api]) }
+
+          it 'does not check for DPoP token' do
+            stub_feature_flags(dpop_authentication: false)
+
+            post :execute, params: { access_token: personal_access_token.token }
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+
+        context 'when DPoP is enabled for the user' do
+          let_it_be(:user) { create(:user, last_activity_on: last_activity_on, dpop_enabled: true) }
+          let_it_be(:personal_access_token) { create(:personal_access_token, user: user, scopes: [:api]) }
+          let_it_be(:dpop_proof) { generate_dpop_proof_for(user) }
+
+          context 'with a missing DPoP token' do
+            it 'returns 401' do
+              post :execute, params: { access_token: personal_access_token.token }
+              expect(response).to have_gitlab_http_status(:unauthorized)
+              expect(json_response["errors"][0]["message"]).to eq("DPoP validation error: DPoP header is missing")
+            end
+          end
+
+          context 'with a valid DPoP token' do
+            it 'returns 200' do
+              request.headers["dpop"] = dpop_proof.proof
+              post :execute, params: { access_token: personal_access_token.token }
+              expect(response).to have_gitlab_http_status(:ok)
+            end
+          end
+
+          context 'with a malformed DPoP token' do
+            it 'returns 401' do
+              request.headers["dpop"] = "invalid"
+              post :execute, params: { access_token: personal_access_token.token }
+              # rubocop:disable Layout/LineLength -- We need the entire error message
+              expect(json_response["errors"][0]["message"]).to eq("DPoP validation error: Malformed JWT, unable to decode. Not enough or too many segments")
+              # rubocop:enable Layout/LineLength
+              expect(response).to have_gitlab_http_status(:unauthorized)
+            end
+          end
         end
       end
     end