Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user`

app/controllers/projects/git_http_client_controller.rb

@@ -27,9 +27,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
         @ci = true
       elsif auth_result.type == :oauth && !download_request?
         # Not allowed
+      elsif auth_result.type == :missing_personal_token
+        render_missing_personal_token
+        return # Render above denied access, nothing left to do
       else
         @user = auth_result.user
-        check_2fa(auth_result.type)
       end
 
       if ci? || user
@@ -92,13 +94,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
     [nil, nil]
   end
 
-  def check_2fa(auth_type)
-    if user && user.two_factor_enabled? && auth_type == :gitlab_or_ldap
-      render plain: "HTTP Basic: Access denied\n"\
-                      "You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\
-                      "You can generate one at #{profile_personal_access_tokens_url}",
-             status: 401
-    end
+  def render_missing_personal_token
+    render plain: "HTTP Basic: Access denied\n"\
+                  "You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\
+                  "You can generate one at #{profile_personal_access_tokens_url}",
+           status: 401
   end
 
   def repository

lib/gitlab/auth.rb

@@ -11,14 +11,20 @@ module Gitlab
         if valid_ci_request?(login, password, project)
           result.type = :ci
         elsif result.user = find_with_user_password(login, password)
-          result.type = :gitlab_or_ldap
+          if result.user.two_factor_enabled?
+            result.user = nil
+            result.type = :missing_personal_token
+          else
+            result.type = :gitlab_or_ldap
+          end
         elsif result.user = oauth_access_token_check(login, password)
           result.type = :oauth
         elsif result.user = personal_access_token_check(login, password)
           result.type = :personal_token
         end
 
-        rate_limit!(ip, success: !!result.user || (result.type == :ci), login: login)
+        success = result.user.present? || [:ci, :missing_personal_token].include?(result.type)
+        rate_limit!(ip, success: success, login: login)
         result
       end