[User] Disallow SMS enrollment for fresh users (#12371)

garyhtou · web-flow · commit 4f069af5ed3f · 2025-12-08T11:33:45.000-08:00
diff --git a/app/services/user_service/enroll_sms_auth.rb b/app/services/user_service/enroll_sms_auth.rb
@@ -12,11 +12,15 @@ def start_verification
       # doing this here to be safe.
       raise ArgumentError.new("phone number for user: #{@user.id} not in E.164 format") unless @user.phone_number =~ /\A\+[1-9]\d{1,14}\z/
 
+      disallow_fresh_users
+
       TwilioVerificationService.new.send_verification_request(@user.phone_number)
     end
 
     # Completing the phone number verification by checking that exchanging code works
     def complete_verification(verification_code)
+      disallow_fresh_users
+
       begin
         verified = TwilioVerificationService.new.check_verification_token(@user.phone_number, verification_code)
       rescue Twilio::REST::RestError
@@ -33,6 +37,8 @@ def enroll_sms_auth
       raise SMSEnrollmentError("user has no phone number") if @user.phone_number.blank?
       raise SMSEnrollmentError("user has not verified phone number") unless @user.phone_number_verified
 
+      disallow_fresh_users
+
       @user.use_sms_auth = true
       @user.save!
     end
@@ -47,5 +53,11 @@ def disable_sms_auth
     class SMSEnrollmentError < StandardError
     end
 
+    def disallow_fresh_users
+      return if @user.created_at < 1.day.ago
+
+      raise SMSEnrollmentError("Please wait at least 24 hours after creating your account before enrolling in SMS authentication.")
+    end
+
   end
 end
