Require verified email to enable 2FA

What does this MR do?

This MR requires that users have a verified email in order to enable 2FA.

How to setup and validate locally (strongly suggested)

Preparation

To prepare your local instance:

Enable the :soft_email_confirmation feature flag to enable Soft email confirmation. This is the flag that allows users to be logged in without first verifying their email address:

Feature.enable(:soft_email_confirmation)

Enable the :ensure_verified_primary_email_for_2fa feature flag that is added in this MR:

Feature.enable(:ensure_verified_primary_email_for_2fa)

Admin has to have the instance's Sign-up restrictions set to :

• Allow new sign-ups
• Send confirmation email on sign-up

QA as a user

1. Sign up as a new user http://127.0.0.1:3000/users/sign_up
2. Visit the user's account settings http://127.0.0.1:3000/-/profile/account
3. Click the "enable two-factor authentication" button
4. You should be redirected to the user's email settings page with a notice

Does this MR meet the acceptance criteria?

Conformity

• [-] I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
• [-] I have added/updated documentation, or it's not needed. (Is documentation required?)
• [-] I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
• [-] I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
• I have self-reviewed this MR per code review guidelines.
• This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
• I have followed the style guides.
• This change is backwards compatible across updates, or this does not apply.

Availability and Testing

• I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.)
• [-] I have tested this MR in all supported browsers, or it's not needed.
• [-] I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.

Related to #35102 (closed)