Do not implicitly authenticate user during session creation

app/controllers/application_controller.rb

@@ -131,7 +131,11 @@ class ApplicationController < ActionController::Base
   #  that is going to invoke warden callbacks, so we use Warden directly here.
   #
   def auth_user
-    if warden.authenticated?(:user)
+    # TODO improve that
+    #
+    return if controller_name == 'sessions' && action_name == 'create'
+
+    if user_signed_in?
       current_user
     else
       try(:authenticated_user)

config/initializers/warden.rb

@@ -34,7 +34,7 @@ Rails.application.configure do |config|
 
     if user.blocked?
       Gitlab::Auth::Activity.new(opts).user_blocked!
-      BlockedUserTracker.new(user, auth).log_blocked_user_activity!
+      Gitlab::Auth::BlockedUserTracker.new(user, auth).log_blocked_user_activity!
     end
 
     Gitlab::Auth::Activity.new(opts).user_session_destroyed!