Moved session verified check behind staff2fa flag

ghost/core/core/server/services/auth/session/middleware.js

@@ -42,8 +42,13 @@ function SessionMiddleware({sessionService}) {
     async function authenticate(req, res, next) {
         try {
             const user = await sessionService.getUserForSession(req, res);
+            if (user) {
+                if (labs.isSet('staff2fa')) {
                     const isVerified = await sessionService.isVerifiedSession(req, res);
-            if (user && isVerified) {
+                    if (!isVerified) {
+                        return next();
+                    }
+                }
                 // Do not nullify `req.user` as it might have been already set
                 // in a previous middleware (authorize middleware).
                 req.user = user;