Closes #21043

Provide more sensible default sort order for issues and merge requests
based on the following table:

| type           | state  | default sort order |
|----------------|--------|--------------------|
| issues         | open   | last created       |
| issues         | closed | last updated       |
| issues         | all    | last created       |
| merge requests | open   | last created       |
| merge requests | merged | last updated       |
| merge requests | closed | last updated       |
| merge requests | all    | last created       |

1. Only on supported Chrome versions

2. Mainly, this lets us simplify the javascript-based U2F check to
   `window.u2f`, where `window.u2f` can either be loaded from the GitLab
   server (for Chrome) or from the Firefox extension.

3. This is a better way to provide browser detection for U2F.

This is a try for a new approach to put the access checks at the service level.
Signed-off-by: NRémy Coutable <remy@rymai.me>

- Extract a duplicated `redirect_to`
- Fix a typo: "token", not "certificate"
- Have the "Expires at" datepicker be attached to a text field, not inline
- Have both private tokens and personal access tokens verified in a
  single "authenticate_from_private_token" method, both in the
  application and API. Move relevant logic to
  `User#find_by_personal_access_token`
- Remove unnecessary constants relating to API auth. We don't need a
  separate constant for personal access tokens since the param is the
  same as for private tokens.

- Move the `TwoFactorAuthsController`'s `new` action to `show`, since
  the page is not used to create a single "two factor auth" anymore. We
  can have a single 2FA authenticator app, along with any number of U2F
  devices, in any combination, so the page will be accessed after the
  first "two factor auth" is created.
- Add the `u2f` javascript library, which provides an API to the
  browser's U2F implementation.
- Add tests for the JS components

- To hold registrations from U2F devices, and to authenticate them.
- Previously, `User#two_factor_enabled` was aliased to the
  `otp_required_for_login` column on `users`.
- This commit changes things a bit:
    - `User#two_factor_enabled` is not a method anymore
    - `User#two_factor_enabled?` checks both the
      `otp_required_for_login` column, as well as `U2fRegistration`s
    - Change all instances of `User#two_factor_enabled` to
      `User#two_factor_enabled?`
- Add the `u2f` gem, and implement registration/authentication at the
  model level.

This reverts commit 3e991230.

# Conflicts:
#	app/models/project.rb

- So that the check for valid personal access tokens happens only if
  private token auth fails.

Devise (3.5.4 => 4.1.1) Changelog:
https://github.com/plataformatec/devise/blob/master/CHANGELOG.md

devise-two-factor (2.0.1 => 3.0.0) Changelog:
https://github.com/tinfoil/devise-two-factor/blob/master/CHANGELOG.md

These are reliant on each other, so they have to be upgraded together.

devise-async is no longer necessary as Devise 4.1 fixes a bug with the
ActiveJob integration.

- https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3749#note_11626427
- Personal access tokens are still a separate entity as far as the
  codebase is concerned - they just happen to use the same entry point
  as private tokens.
- Update tests and documentation to reflect this change

- Use `TokenAuthenticatable` to generate the personal access token
- Remove a check for `authenticity_token` in application controller;
  this should've been `authentication_token`, maybe, and doesn't make
  any sense now.
- Have the datepicker appear inline

- No need to use `if`s when we have a `presence` check already.

- Rename the `authenticate_user_from_token!` filter to
  `authenticate_user_from_private_token!`
- Add a new `authenticate_user_from_personal_access_token!` filter
- Add tests for both.

gitlab import UI - icon, file selector, etc... Also updated font-awesome and modified import source settings.

Closes #14370

Move gon function into its own helper

This will let us filter errors by the program environment in which they
were encountered.

Source: http://stackoverflow.com/a/28370539/223897

Closes #15092

Added in disable button for 2fa

Prior, if the request format was, for example, .zip, we'd get an
`ActionView::MissingTemplate` error.