Don't allow bypassing auth with non-json/html format

Author: elucid

lib/two_factor_authentication/controllers/helpers.rb

@@ -27,6 +27,8 @@ def handle_failed_second_factor(scope)
           elsif request.format.json?
             session["#{scope}_return_to"] = root_path(format: :html)
             render json: { redirect_to: two_factor_authentication_path_for(scope) }, status: :unauthorized
+          else
+            head :unauthorized
           end
         else
           head :unauthorized