I understand my PR breaks security, but I still wish to fix this problem in alternative way. Logging in https://<hostname>/cas directly is important in testing, which is impossible if MFA trust device is enabled.
The problem is in support/cas-server-support-trusted-mfa-core/src/main/java/org/apereo/cas/trusted/authentication/DefaultMultifactorAuthenticationTrustedDeviceBypassEvaluator.java, which receives a null registeredService, therefore causing exception in registeredServiceAccessStrategyEnforcer.execute(audit).
To workaround the problem, I'd like to ask is is possible to create a dummy RegisteredService, so that registeredServiceAccessStrategyEnforcer.execute would not fail? Any security concerns?