Fix GraphQL token auth with relative_url_root

For GraphQL requests, we call `authenticate_sessionless_user!(:api)` so
that we allow token authentication.

This fixes the check for the API URL because it was broken when the
GitLab instance is installed under a relative path.

When checking the path, we should account for the `relative_url_root`
setting.

changelogs/unreleased/250580-fix-graphql-api-token-authentication.yml

+---
+title: Fix GraphQL token authentication when installed under a relative URL
+merge_request: 42706
+author:
+type: fixed

lib/gitlab/auth/auth_finders.rb

@@ -290,7 +290,7 @@ module Gitlab
       end
 
       def api_request?
-        current_request.path.starts_with?('/api/')
+        current_request.path.starts_with?(Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, '/api/'))
       end
 
       def archive_request?

spec/lib/gitlab/auth/auth_finders_spec.rb

@@ -419,10 +419,30 @@ RSpec.describe Gitlab::Auth::AuthFinders do
       expect(find_user_from_web_access_token(:ics)).to eq(user)
     end
 
-    it 'returns the user for API requests' do
-      set_header('SCRIPT_NAME', '/api/endpoint')
+    context 'for API requests' do
+      it 'returns the user' do
+        set_header('SCRIPT_NAME', '/api/endpoint')
+
+        expect(find_user_from_web_access_token(:api)).to eq(user)
+      end
+
+      it 'returns nil if URL does not start with /api/' do
+        set_header('SCRIPT_NAME', '/relative_root/api/endpoint')
+
+        expect(find_user_from_web_access_token(:api)).to be_nil
+      end
 
-      expect(find_user_from_web_access_token(:api)).to eq(user)
+      context 'when relative_url_root is set' do
+        before do
+          stub_config_setting(relative_url_root: '/relative_root')
+        end
+
+        it 'returns the user' do
+          set_header('SCRIPT_NAME', '/relative_root/api/endpoint')
+
+          expect(find_user_from_web_access_token(:api)).to eq(user)
+        end
+      end
     end
   end