https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63287 made it
possible to rate limit authenticated Git requests properly. However, it
also inadvertently made it possible for certain pages to be viewed via
HTTP Basic Authentication. We now restrict the sessionless
authentication mechanism based on the current route to avoid this.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/341522

Changelog: security