New user can't login if password expired and 2factor needs to be setup

Summary

Users get into a redirect loop if their password is expired (an admin updated it for example) and 2factor auth is not setup yet for the user, but required for the instance.

login will redirect to the profile/two_factor_auth page, and that page will redirect to the expired/update password page, which will redirect to the two factor auth page, and on and on.

Steps to reproduce

  1. Enforce 2factor auth on the instance
  2. Create a new user from the Admin interface
  3. Update the users password from the Admin interface
  4. Login to the new user with the password

What is the current bug behavior?

Redirect loop upon login

What is the expected correct behavior?

Password reset page should be shown if the 2factor auth requirement is still skipable.

Relevant logs and/or screenshots

Screenshot_from_2017-02-13_11-24-40-crop

Output of checks

This bug happens in master locally, and happened during onboarding for someone on dev.gitlab.org