Signed-off-by: NRémy Coutable <remy@rymai.me>

Signed-off-by: NRémy Coutable <remy@rymai.me>

Signed-off-by: NDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Resolves #24576

Modify the guard clause of the `ApplicationController#require_email`
before action to skip requests where an admin is impersonating the
current user.

Closes #23615

We need this to prevent routing error when user access URL like /123
when there is no resource located under such name
Signed-off-by: NDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

When reading conflicts:

1. Add a `type` field. `text` works as before, and has `sections`;
   `text-editor` is a file with ambiguous conflict markers that can only
   be resolved in an editor.
2. Add a `content_path` field pointing to a JSON representation of the
   file's content for a single file.
3. Hitting `content_path` returns a similar datastructure to the `file`,
   but without the `content_path` and `sections` fields, and with a
   `content` field containing the full contents of the file (with
   conflict markers).

When writing conflicts:

1. Instead of `sections` being at the top level, they are now in a
   `files` array. This matches the read format better.
2. The `files` array contains file hashes, each of which must contain:
   a. `new_path`
   b. `old_path`
   c. EITHER `sections` (which works as before) or `content` (with the
      full content of the resolved file).

Closes #21043

Provide more sensible default sort order for issues and merge requests
based on the following table:

| type           | state  | default sort order |
|----------------|--------|--------------------|
| issues         | open   | last created       |
| issues         | closed | last updated       |
| issues         | all    | last created       |
| merge requests | open   | last created       |
| merge requests | merged | last updated       |
| merge requests | closed | last updated       |
| merge requests | all    | last created       |

1. Only on supported Chrome versions

2. Mainly, this lets us simplify the javascript-based U2F check to
   `window.u2f`, where `window.u2f` can either be loaded from the GitLab
   server (for Chrome) or from the Firefox extension.

3. This is a better way to provide browser detection for U2F.

This is a try for a new approach to put the access checks at the service level.
Signed-off-by: NRémy Coutable <remy@rymai.me>

- Extract a duplicated `redirect_to`
- Fix a typo: "token", not "certificate"
- Have the "Expires at" datepicker be attached to a text field, not inline
- Have both private tokens and personal access tokens verified in a
  single "authenticate_from_private_token" method, both in the
  application and API. Move relevant logic to
  `User#find_by_personal_access_token`
- Remove unnecessary constants relating to API auth. We don't need a
  separate constant for personal access tokens since the param is the
  same as for private tokens.

- Move the `TwoFactorAuthsController`'s `new` action to `show`, since
  the page is not used to create a single "two factor auth" anymore. We
  can have a single 2FA authenticator app, along with any number of U2F
  devices, in any combination, so the page will be accessed after the
  first "two factor auth" is created.
- Add the `u2f` javascript library, which provides an API to the
  browser's U2F implementation.
- Add tests for the JS components

- To hold registrations from U2F devices, and to authenticate them.
- Previously, `User#two_factor_enabled` was aliased to the
  `otp_required_for_login` column on `users`.
- This commit changes things a bit:
    - `User#two_factor_enabled` is not a method anymore
    - `User#two_factor_enabled?` checks both the
      `otp_required_for_login` column, as well as `U2fRegistration`s
    - Change all instances of `User#two_factor_enabled` to
      `User#two_factor_enabled?`
- Add the `u2f` gem, and implement registration/authentication at the
  model level.

This reverts commit 3e991230.

# Conflicts:
#	app/models/project.rb

- So that the check for valid personal access tokens happens only if
  private token auth fails.

Devise (3.5.4 => 4.1.1) Changelog:
https://github.com/plataformatec/devise/blob/master/CHANGELOG.md

devise-two-factor (2.0.1 => 3.0.0) Changelog:
https://github.com/tinfoil/devise-two-factor/blob/master/CHANGELOG.md

These are reliant on each other, so they have to be upgraded together.

devise-async is no longer necessary as Devise 4.1 fixes a bug with the
ActiveJob integration.

- https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3749#note_11626427
- Personal access tokens are still a separate entity as far as the
  codebase is concerned - they just happen to use the same entry point
  as private tokens.
- Update tests and documentation to reflect this change

- Use `TokenAuthenticatable` to generate the personal access token
- Remove a check for `authenticity_token` in application controller;
  this should've been `authentication_token`, maybe, and doesn't make
  any sense now.
- Have the datepicker appear inline

- No need to use `if`s when we have a `presence` check already.

- Rename the `authenticate_user_from_token!` filter to
  `authenticate_user_from_private_token!`
- Add a new `authenticate_user_from_personal_access_token!` filter
- Add tests for both.