Change graceful rollout time frames for Email OTP

Florence Schwartzrequested to merge
581435-change-email-otp-rollout-time-frame into master

What does this MR do and why?

Change graceful rollout time frames for Email OTP

The time frames should be one week for the email OTP enrollment callout banner and one week for the soft enforcement page instead of the original 30 days each.

Related to: https://gitlab.com/gitlab-org/gitlab/-/issues/581435

References

Screenshots or screen recordings

No UI changes, the banners still look as follow

Banner

Screenshot_2025-11-27_at_11.54.34

Soft Enforcement

Screenshot_2025-11-27_at_11.55.12 Screenshot_2025-11-27_at_11.55.16

How to set up and validate locally

Callout banner scenario

  1. Sign out
  2. Update the user:
user = User.find_by(email: ......)
user.update!(email_otp_required_after: 8.days.from_now)
# also testable with any day between 8 and 14
Feature.enable(:email_based_otp, user)
  1. Sign in again, and you will see the banner.

Soft enforcement scenario

  1. Update the user:
user = User.find_by(email: .......)
user.update!(email_otp_required_after: 7.days.from_now)
# also testable with any day between 1 and 7
# Feature.enable(:email_based_otp, user)
  1. Log out
  2. Log in, on the page prompting for the verification code click "skip for now" and you will see the soft enforcement page.

Enforcement scenario

  1. Sign out
  2. Update the user:
user = User.find_by(email: ......)
user.update!(email_otp_required_after: 15.days.from_now)
# Feature.enable(:email_based_otp, user)
  1. Log in, on the page prompting for the verification code, there's no longer an option to "skip for now" and I have to enter the email OTP code to log in.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #581435

Merge request reports