Set UserUniqueLogin.expires when creating a new UserUniqueLogin.

tests/unit/accounts/test_services.py

@@ -2034,7 +2034,7 @@ def test_device_is_not_known(self, user_service, monkeypatch):
         user = UserFactory.create(with_verified_primary_email=True)
         send_email = pretend.call_recorder(lambda *a, **kw: None)
         monkeypatch.setattr(services, "send_unrecognized_login_email", send_email)
-        token_service = pretend.stub(dumps=lambda d: "fake_token")
+        token_service = pretend.stub(dumps=lambda d: "fake_token", max_age=60)
         user_service.request = pretend.stub(
             db=user_service.db,
             remote_addr=REMOTE_ADDR,
@@ -2048,6 +2048,17 @@ def test_device_is_not_known(self, user_service, monkeypatch):
         )
 
         assert not user_service.device_is_known(user.id, user_service.request)
+
+        unique_login = (
+            user_service.db.query(services.UserUniqueLogin)
+            .filter(
+                services.UserUniqueLogin.user_id == user.id,
+                services.UserUniqueLogin.ip_address == REMOTE_ADDR,
+            )
+            .one()
+        )
+        assert unique_login.expires is not None
+
         assert send_email.calls == [
             pretend.call(
                 user_service.request,
@@ -2065,7 +2076,7 @@ def test_device_is_pending_not_expired(self, user_service, monkeypatch):
         )
         send_email = pretend.call_recorder(lambda *a, **kw: None)
         monkeypatch.setattr(services, "send_unrecognized_login_email", send_email)
-        token_service = pretend.stub(dumps=lambda d: "fake_token")
+        token_service = pretend.stub(dumps=lambda d: "fake_token", max_age=60)
         user_service.request = pretend.stub(
             db=user_service.db,
             remote_addr=REMOTE_ADDR,
@@ -2123,7 +2134,7 @@ def test_device_is_not_known_bad_user_agent(
         user = UserFactory.create(with_verified_primary_email=True)
         send_email = pretend.call_recorder(lambda *a, **kw: None)
         monkeypatch.setattr(services, "send_unrecognized_login_email", send_email)
-        token_service = pretend.stub(dumps=lambda d: "fake_token")
+        token_service = pretend.stub(dumps=lambda d: "fake_token", max_age=60)
         headers = {}
         if ua_string:
             headers["User-Agent"] = ua_string

warehouse/accounts/services.py

@@ -766,6 +766,8 @@ def device_is_known(self, userid, request):
                 user_id=userid,
                 ip_address=request.remote_addr,
                 status=UniqueLoginStatus.PENDING,
+                expires=datetime.datetime.now(datetime.UTC)
+                + datetime.timedelta(seconds=token_service.max_age),
             )
             request.db.add(unique_login)
             request.db.flush()  # To get the ID for the token

warehouse/migrations/versions/a25f3d5186a9_update_expires_for_pending_user_unique_.py

@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
+"""
+update expires for pending user_unique_logins
+
+Revision ID: a25f3d5186a9
+Revises: 537b63a29cea
+Create Date: 2025-11-20 19:09:40.492013
+"""
+
+
+from alembic import op
+
+revision = "a25f3d5186a9"
+down_revision = "537b63a29cea"
+
+
+def upgrade():
+    op.execute(
+        """
+        UPDATE user_unique_logins
+        SET expires = created + INTERVAL '6 hours'
+        WHERE status = 'pending' AND expires IS NULL
+        """
+    )
+
+
+def downgrade():
+    pass