Don't apply a session limit when genuinely replacing a session

crates/handlers/src/compat/login.rs

@@ -576,7 +576,8 @@ async fn token_login(
         Device::generate(rng)
     };
 
-    repo.app_session()
+    let session_replaced = repo
+        .app_session()
         .finish_sessions_to_replace_device(clock, &browser_session.user, &device)
         .await?;
 
@@ -586,6 +587,7 @@ async fn token_login(
         .evaluate_compat_login(mas_policy::CompatLoginInput {
             user: &browser_session.user,
             login_type: CompatLoginType::WebSso,
+            session_replaced,
             session_counts,
             requester,
         })
@@ -702,7 +704,8 @@ async fn user_password_login(
         Device::generate(&mut rng)
     };
 
-    repo.app_session()
+    let session_replaced = repo
+        .app_session()
         .finish_sessions_to_replace_device(clock, &user, &device)
         .await?;
 
@@ -712,6 +715,7 @@ async fn user_password_login(
         .evaluate_compat_login(mas_policy::CompatLoginInput {
             user: &user,
             login_type: CompatLoginType::Password,
+            session_replaced,
             session_counts,
             requester: policy_requester,
         })

crates/handlers/src/compat/login_sso_complete.rs

@@ -123,6 +123,8 @@ pub async fn get(
         .evaluate_compat_login(mas_policy::CompatLoginInput {
             user: &session.user,
             login_type: CompatLoginType::WebSso,
+            // TODO should we predict a replacement?
+            session_replaced: false,
             session_counts,
             requester: mas_policy::Requester {
                 ip_address: activity_tracker.ip(),
@@ -251,6 +253,8 @@ pub async fn post(
             user: &session.user,
             login_type: CompatLoginType::WebSso,
             session_counts,
+            // TODO should we predict a replacement?
+            session_replaced: false,
             requester: mas_policy::Requester {
                 ip_address: activity_tracker.ip(),
                 user_agent,

crates/policy/src/model.rs

@@ -197,6 +197,9 @@ pub struct CompatLoginInput<'a> {
     /// How many sessions the user has.
     pub session_counts: SessionCounts,
 
+    /// Whether a session will be replaced by this login
+    pub session_replaced: bool,
+
     // TODO is this actually what we care about? Don't we care a bit more about whether we're in an
     // interactive context or a non-interactive context? (SSO type has both phases :()
     pub login_type: CompatLoginType,