Exclude 2FA from upload#show routes and 404s

Nonexistent routes should not redirect to the 2FA page, as there can
be missing resources, which would cause the 2FA secret to be regenerated

For UploadsController#show routes, any resource trying to be loaded
while on the 2FA page (avatar, custom header etc) would redirect to
the 2FA page, also regenerating the token after the QR/key was already
rendered in the view.

app/controllers/concerns/enforces_two_factor_authentication.rb

@@ -11,7 +11,7 @@ module EnforcesTwoFactorAuthentication
   extend ActiveSupport::Concern
 
   included do
-    before_action :check_two_factor_requirement
+    before_action :check_two_factor_requirement, except: [:route_not_found]
 
     # to include this in controllers inheriting from `ActionController::Metal`
     # we need to add this block

app/controllers/uploads_controller.rb

@@ -19,6 +19,7 @@ class UploadsController < ApplicationController
   rescue_from UnknownUploadModelError, with: :render_404
 
   skip_before_action :authenticate_user!
+  skip_before_action :check_two_factor_requirement, only: [:show]
   before_action :upload_mount_satisfied?
   before_action :authorize_access!, only: [:show]
   before_action :authorize_create_access!, only: [:create, :authorize]

changelogs/unreleased/cat-2fa-404-redirect.yml

+---
+title: Exclude 2FA from upload#show routes and 404s
+merge_request: 42784
+author:
+type: fixed