LG-13985: Avoid new device email for reauthentication from new account

app/controllers/sign_up/passwords_controller.rb

@@ -3,6 +3,7 @@
 module SignUp
   class PasswordsController < ApplicationController
     include UnconfirmedUserConcern
+    include NewDeviceConcern
 
     before_action :find_user_with_confirmation_token
     before_action :confirm_user_needs_sign_up_confirmation
@@ -76,6 +77,7 @@ def process_unsuccessful_password_creation
 
     def sign_in_and_redirect_user
       sign_in @user
+      set_new_device_session(false)
       user_session[:in_account_creation_flow] = true
       if current_user.accepted_rules_of_use_still_valid?
         redirect_to authentication_methods_setup_url

spec/controllers/sign_up/passwords_controller_spec.rb

@@ -53,6 +53,17 @@
         expect(user.valid_password?('NewVal!dPassw0rd')).to eq true
         expect(user.confirmed?).to eq true
       end
+
+      it 'initializes user session' do
+        response
+
+        expect(controller.user_session).to match(
+          'unique_session_id' => kind_of(String),
+          'last_request_at' => kind_of(Numeric),
+          new_device: false,
+          in_account_creation_flow: true,
+        )
+      end
     end
 
     context 'with an invalid password' do

spec/features/new_device_tracking_spec.rb

@@ -217,6 +217,24 @@
         expect_delivered_email_count(0)
       end
     end
+
+    context 'reauthenticating after new account creation' do
+      before do
+        sign_up_and_2fa_ial1_user
+        reset_email
+        expire_reauthn_window
+      end
+
+      it 'does not send a new device sign-in notification' do
+        within('.sidenav') { click_on t('account.navigation.add_phone_number') }
+        expect(page).to have_current_path(login_two_factor_options_path)
+        click_on t('forms.buttons.continue')
+        fill_in_code_with_last_phone_otp
+        click_submit_default
+
+        expect_delivered_email_count(0)
+      end
+    end
   end
 
   context 'user does not have existing devices' do