Allow CI_JOB_TOKEN in artifact download API

Description

If a pipeline depends on the artifacts of another pipeline, the job should be able to request those artifacts using the CI_JOB_TOKEN for permissions.

Proposal

Links / references

Documentation blurb

With the introduction of dependencies between different projects, one of them may need to access artifacts created by a previous one. This process must be granted for authorized accesses, and it can be done using the CI_JOB_TOKEN variable that identifies a specific job.

added gitlab-ce~19173 label

removed ~897282 label

changed milestone to gitlab-ce%39

assigned to @zj

(Write the start of the documentation of this feature here, include:

1. Why should someone use it; what's the underlying problem.

2. What is the solution.

3. How does someone use this

During implementation, this can then be copied and used as a starter for the documentation.)

changed milestone to gitlab-ce%37

added gitlab-ce992791 and removed gitlab-ce992792 labels

added gitlab-ce~901060 label

@ayufan @bikebilly Should this be EEP, like the other API change for cross-project pipelines?

mentioned in merge request !2346 (merged)

The Merge Request implementation had serious vulnerability and it requires better understanding and involvement of @jneen to make that change, just for API: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2346.

changed milestone to %9.5

assigned to @zj

assigned to @ayufan and unassigned @zj

Assigning that to myself.

It seems that we will add metadata to routes that are allowed to use ci_job_token with the help of: https://github.com/ruby-grape/grape#describing-and-inspecting-an-api.

Probably it will look like:

route_setting :authentication, job_token_allowed: true

We will allow to use this token only when this authentication method is explicitly enabled for endpoint.