Redirect loop when logging in for the experimental sign_up flow

Summary

There seems to be a possible redirect loop for the new sign_up flow and a subset of users can't log in (getting a 302 redirect loop resulting in the browser complaining about "too many redirects").

The loop happens in these places:

  1. The method required_signup_info included in the ApplicationController extended by Profiles::TwoFactorAuthsController which redirects to [RegistrationsController]#[welcome].
  2. In RegistrationsController#welcome, there's a redirect to path_for_signed_in_user if the user has the setup_for_company flag. That, if the user doesn't need confirmation, redirects to the stored_location_for_user if there is one - which, in this case, because it comes from Profiles::TwoFactorAuthsController#show above, as the method above also stores the current URL, causes the redirect loop back to point 1.

The mismatch here is that user.role_required? and user.role.present return conflicting information - user.role.present will be true (as, technically, I believe it's 99), while user.role_required? (despite the naming), will also be true.

Steps to reproduce

I'm unsure on how to reproduce this 100% - I believe the user needs to not have a role set up and be part of a group that requires (required?) 2FA, so that they end up on /profile/two_factor_auth in the first place, triggering the redirect loop.

For reference, gitlab-com/support/dotcom/dotcom-internal#2110 (internal only, customer details)

What is the current bug behavior?

A redirect loop is created, between https://gitlab.com/users/sign_up/welcome and https://gitlab.com/profile/two_factor_auth.

What is the expected correct behavior?

The user should be seeing the role selection flow page and not get redirected back and forth to oblivion.

Relevant logs and/or screenshots

According to Kibana logs in the past 15 days, this seems to have happened to at least 3 different customers:

controller_and_action: "[Profiles::TwoFactorAuthsController]#[show]" and json.status: 302 and json.location: "https://gitlab.com/users/sign_up/welcome"

Output of checks

This only happens on GitLab.com.

Possible fixes

Mentioned above, the inconsistency should be taken into account, role.present? and role_required? are not exactly "true" to their description.

Potential workaround

Update the require_two_factor_authentication_from_group flag to false for the user (thanks @lyle!) or disable the experimental flow for them.