Support push 2FA in internal API endpoint with blocking calls (FortiAuthenticator)
To support push 2FA for git for providers with blocking calls, the internal API should trigger push notification via the configured OTP provider. Not all OTP provider supports push: in this case, we need to return an error message.
We should also consider renaming the current /two_factor_otp_check
endpoint to eg. /two_factor_check
since it no longer will be limited to OTP. Alternatively, we could create a new /two_factor_push_check
endpoint.
To avoid too many of these blocking connections, we should limit the number of concurrent requests globally. This approach should be fine self-hosted, but we should guard with the check !GitLab.com?
to make sure it's not enabled otherwise. (Follow-up so it can be enabled on GitLab.com
too: #324024)
Review from ~"team::Scalability" was done in: gitlab-com/gl-infra/scalability#916 (closed).