Add controllers and frontend for DPoP

What does this MR do and why?

This MR adds the controller and frontend code for Add DPoP checks in GraphQL and API requests (!169013 - merged).

Related to Sender constraining personal access tokens (#425130).

References

See the epic (Allow users to require demonstrated proof of po... (&14383)) for context, pre-work, and other related issues.

Screenshots or screen recordings

When dpop_authentication FF is disabled:

When :dpop_authentication FF is enabled:

How to set up and validate locally

1. Checkout this branch locally.
2. Run bin/rails db:migrate
3. In rails console, enable the feature flag: Feature.enable(:dpop_authentication, User.first)
4. Login as root.
5. Go to Settings > Access tokens > Toggle the DPoP option.
6. Confirm it persists in the database User.first.dpop_enabled and also on the frontend after refreshing the page.

doc/user/profile/personal_access_tokens.md

@@ -343,34 +343,36 @@ To require DPoP on all calls to the REST and GraphQL APIs:
 1. On the left sidebar, select **Access Tokens**.
 1. Go to the **Use Demonstrating Proof of Possession** section, and select **Enable DPoP**.
 1. Select **Save changes**.
-
-To use DPoP with the REST and GraphQL APIs:
-
-1. Make sure you have an SSH key added to your account, with the usage type "Authentication" or "Authentication & Signing".
-1. Use [`glab`](https://gitlab.com/gitlab-org/cli) to generate a DPoP header, using this command, where the private key is corresponding private key of the public SSH key you added in the step above:
+1. Optional. To generate a DPoP header with the [GitLab CLI](../../editor_extensions/gitlab_cli/_index.md),
+   run this command in your terminal. Replace `<your_access_token>` with your access token, and `~/.ssh/id_rsa`
+   with the location of your private key:
 
    ```shell
-    bin/glab auth dpop-gen --pat "<glpat-PAT>" --private-key ~/.ssh/id_rsa
+    bin/glab auth dpop-gen --pat "<your_access_token>" --private-key ~/.ssh/id_rsa
    ```
 
-1. Use the generated header to make an HTTP request to the REST API, for example:
+The DPoP header you generated in the CLI can be used:
 
-   ```shell
-    curl --header "Private-Token: <glpat-PAT>" --header "DPoP: <dpop-from-glab>" "https://gitlab.example.com/api/v4/projects"
-   ```
+- With the REST API:
 
-1. For GraphQL requests, you can do the same:
-
-   ```shell
-    curl --request POST \
-    --header "Content-Type: application/json" \
-    --header "Private-Token: <glpat-PAT>" \
+  ```shell
+  curl --header "Private-Token: <your_access_token>" \
     --header "DPoP: <dpop-from-glab>" \
-    --data '{
-    "query": "query { currentUser { id } }"
-    }'
-    "https://gitlab.example.com/api/graphql"
-   ```
+    "https://gitlab.example.com/api/v4/projects"
+  ```
+
+- With GraphQL:
+
+  ```shell
+   curl --request POST \
+   --header "Content-Type: application/json" \
+   --header "Private-Token: <your_access_token>" \
+   --header "DPoP: <dpop-from-glab>" \
+   --data '{
+   "query": "query { currentUser { id } }"
+   }' \
+   "https://gitlab.example.com/api/graphql"
+  ```
 
 To learn more about DPoP headers, see the blueprint
 [Sender Constraining Personal Access Tokens](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/security-feature-blueprints/-/tree/main/sender_constraining_access_tokens).