move legacy check below auth check in lock guard (#6696)

libs/angular/src/auth/guards/lock.guard.ts

@@ -33,6 +33,11 @@ export function lockGuard(): CanActivateFn {
     const router = inject(Router);
     const userVerificationService = inject(UserVerificationService);
 
+    const authStatus = await authService.getAuthStatus();
+    if (authStatus !== AuthenticationStatus.Locked) {
+      return router.createUrlTree(["/"]);
+    }
+
     // If legacy user on web, redirect to migration page
     if (await cryptoService.isLegacyUser()) {
       if (platformUtilService.getClientType() === ClientType.Web) {
@@ -43,11 +48,6 @@ export function lockGuard(): CanActivateFn {
       return false;
     }
 
-    const authStatus = await authService.getAuthStatus();
-    if (authStatus !== AuthenticationStatus.Locked) {
-      return router.createUrlTree(["/"]);
-    }
-
     // User is authN and in locked state.
 
     const tdeEnabled = await deviceTrustCryptoService.supportsDeviceTrust();