[PM-18608] Don't require new device verification on newly created accounts (#5440)

* Limit new device verification to aged accounts * set user creation date context for test * formatting
2025-06-30 07:36:14 -05:00 · 2025-02-27 11:01:40 -05:00
parent 3533f82d0f
commit 8354929ff1
2 changed files with 36 additions and 0 deletions
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@ -120,6 +120,13 @@ public class DeviceValidator(
            return DeviceValidationResultType.Success;
        }

+        // User is newly registered, so don't require new device verification
+        var createdSpan = DateTime.UtcNow - user.CreationDate;
+        if (createdSpan < TimeSpan.FromHours(24))
+        {
+            return DeviceValidationResultType.Success;
+        }
+
        // CS exception flow
        // Check cache for user information
        var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, user.Id.ToString());