Add DPoP checks in GraphQL and API requests

What does this MR do and why?

See Sender constraining personal access tokens (#425130) for more context. This MR makes use of the backend DPoP checks that are introduced in Parse and validate DPoP Tokens (!166206 - merged).

How to set up and validate locally

1. In rails console, enable the feature flag for the user you are going to be testing the feature with:

Feature.enable(:dpop_authentication, User.find(1))

2. Using the rails console, enable DPoP for the user :

UserPreferences::UpdateService.new(User.find(1), {dpop_enabled: true}).execute

3. Ensure you have an SSH key-pair setup with the public key uploaded to your user account. Ensure that the key type is saved as "Signing" or "Authentication and Signing".
4. Build glab from this branch.
5. Using glab generate a DPoP header: bin/glab auth dpop-gen --pat "<glpat-PAT>" --private-key ~/.ssh/id_rsa
6. Use the generated header to make an HTTP API request eg.: curl http://localhost:3000/api/v4/projects --header "Private-Token: <glpat-PAT>" --header "DPoP: <GLAB OUTPUT HERE>"
7. Confirm valid response is received. Confirm that the request fails without a valid DPoP header.
8. Repeat and confirm for GraphQL requests, e.g. curl -X POST -H "Content-Type: application/json" -H "Private-Token: <glpat-PAT>" -H "DPoP: <GLAB OUTPUT HERE>" -d '{ "query": "query { currentUser { id } }" }' "http://localhost:3000/api/graphql"
9. Confirm that the server responds with accurate error messages related to the failing DPoP check (eg. signature expired, JWT invalid, etc.).

app/controllers/graphql_controller.rb

@@ -12,10 +12,6 @@ class GraphqlController < ApplicationController
   # Max size of the query text in characters
   MAX_QUERY_SIZE = 10_000
 
-  # Headers to read private tokens in requests
-  PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'
-  PRIVATE_TOKEN_PARAM = :private_token
-
   # The query string of a standard IntrospectionQuery, used to compare incoming requests for caching
   CACHED_INTROSPECTION_QUERY_STRING = CachedIntrospectionQuery.query_string
   INTROSPECTION_QUERY_OPERATION_NAME = 'IntrospectionQuery'
@@ -35,9 +31,10 @@ class GraphqlController < ApplicationController
 
   # must come first: current_user is set up here
   before_action(only: [:execute]) { authenticate_sessionless_user!(:graphql_api) }
-  before_action(only: [:execute]) { check_dpop }
 
   before_action :authorize_access_api!
+  # must come after authorize_access_api! to check for nil current_user
+  before_action(only: [:execute]) { :check_dpop! }
   before_action :set_user_last_activity
   before_action :track_vs_code_usage
   before_action :track_jetbrains_usage
@@ -128,8 +125,8 @@ def feature_category
 
   private
 
-  def check_dpop
-    ::Auth::DpopAuthenticationService.new(current_user, request_authenticator.get_personal_access_token,
+  def check_dpop!
+    ::Auth::DpopAuthenticationService.new(current_user, Gitlab::Auth::AuthFinders.get_personal_access_token,
       request).execute
   end