Use Authorization Bearer header instead of PAT on demand

[mfriedenhagen]

• PATs in our company instance are expired after one day by an automated process.
• Our company instance requires a daily MFA login via SSO.
• We implemented https://github.com/hickford/git-credential-oauth to gather tokens for authentication. The oauth application in GitLab is able to issue token with scope api as well.
• This works fine with all standard git operations like pull orpush.
• I tried to use the token with lab. However I get a 401 when setting the oauth bearer token as LAB_CORE_TOKEN.
• That is probably because lab does use the header PRIVATE-TOKEN which does only accept a GitLab PAT.
• When I call the API via curl and use the oauth token as bearer token in the Authorization` header, this does succeed.
• The oauth token has 64 characters and matches [a-f0-9]{64} so it should be quite easy to differentiate a PAT and this kind of token.

[prarit]

Interesting. I'm trying to play around with oath2 but :( sadly cannot figure a valid URI on gitlab. Let me try a few things to see if I can get some test code to you.

[prarit]

@mfriedenhagen, can you try the following quick hack and let me know if this works?

diff --git a/internal/gitlab/gitlab.go b/internal/gitlab/gitlab.go
index 65cfd8849631..3e6a44dd7f19 100644
--- a/internal/gitlab/gitlab.go
+++ b/internal/gitlab/gitlab.go
@@ -97,7 +97,7 @@ func Init(_host, _user, _token string, allowInsecure bool) {
                },
        }
 
-       lab, _ = gitlab.NewClient(token, gitlab.WithHTTPClient(httpClient), gitlab.WithBaseURL(host+"/api/v4"), gitlab.WithCustomLeveledLogger(log))
+       lab, _ = gitlab.NewBasicAuthClient(_user, token, gitlab.WithHTTPClient(httpClient), gitlab.WithBaseURL(host+"/api/v4"), gitlab.WithCustomLeveledLogger(log))
 }
 
 // InitWithCustomCA open the HTTP client using a custom CA file (a self signed