feat: add token prefix

What does this MR do?

This merge requests adds a prefix to every personal access token, which makes it easier to distinguish them from other tokens and also makes it possible to find them using tools like gitleaks, which in turn uses rules to identify keys.

AWS also uses a prefix to identify their keys: AKIAIOSFODNN7EXAMPLE

🛠 with ❤ at Siemens

Screenshots

Database

$ bin/rake db:migrate

== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: migrating =
-- add_column(:application_settings, :personal_access_token_prefix, :text)
   -> 0.0016s
== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: migrated (0.0017s)

== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: migrating
-- transaction_open?()
   -> 0.0000s
-- current_schema()
   -> 0.0003s
-- execute("ALTER TABLE application_settings\nADD CONSTRAINT check_718b4458ae\nCHECK ( char_length(personal_access_token_prefix) <= 20 )\nNOT VALID;\n")
   -> 0.0026s
-- current_schema()
   -> 0.0002s
-- execute("SET statement_timeout TO 0")
   -> 0.0002s
-- execute("ALTER TABLE application_settings VALIDATE CONSTRAINT check_718b4458ae;")
   -> 0.0013s
-- execute("RESET ALL")
   -> 0.0002s
== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: migrated (0.0139s)

$ bin/rake db:rollback STEP=2

== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: reverting
-- execute("ALTER TABLE application_settings\nDROP CONSTRAINT IF EXISTS check_718b4458ae\n")
   -> 0.0009s
== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: reverted (0.0039s)

== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: reverting =
-- remove_column(:application_settings, :personal_access_token_prefix, :text)
   -> 0.0023s
== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: reverted (0.0024s)

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team

@gitlab-com/gl-security/appsec security