Implement JWT authentication for writable endpoints
Utilizes the JWKS endpoint from Gitlab to fetch the appropriate public key for decoding the payload.
Token is then verified against the path such that the request path
begins with /v2/{project_path}
. This means that Docker images that
are subpaths of a given project would also be permitted (ie: a project
of foo/bar
could pubish images at foo/bar
and foo/bar/baz
but not
say foo/derp
)
- endpoints without @jwt_required are unchanged
- omitting the JWT yells at you with a 401 and "Missing Authorization Header"
- providing a bogus JWT yells at you appropriately with a 422
- Trying to operate on a repo not included in project_path responds with a 403
Bug: T323394