DEV: Do not require session confirmation for new users (#24799)

When making sensitive changes to an account (adding 2FA or passkeys), we
require users to confirm their password. This is to prevent an attacker
from adding 2FA to an account they have access to.

However, on newly created accounts, we should not require this, it's an
extra step and it doesn't provide extra security (since the account was
just created). This commit makes it so that we don't require session
confirmation for accounts created less than 5 minutes ago.

app/controllers/users_controller.rb

@@ -1525,7 +1525,7 @@ class UsersController < ApplicationController
   end
 
   def trusted_session
-    render json: secure_session_confirmed? ? success_json : failed_json
+    render json: secure_session_confirmed? || user_just_created ? success_json : failed_json
   end
 
   def list_second_factors
@@ -1746,12 +1746,17 @@ class UsersController < ApplicationController
     render json: success_json
   end
 
+  def user_just_created
+    current_user.created_at > 5.minutes.ago
+  end
+
   def check_confirmed_session
     if SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins
       raise Discourse::NotFound
     end
 
-    raise Discourse::InvalidAccess.new unless current_user && secure_session_confirmed?
+    raise Discourse::InvalidAccess.new if !current_user
+    raise Discourse::InvalidAccess.new unless user_just_created || secure_session_confirmed?
   end
 
   def revoke_account