feat: notify users about security setting changes

[davideluque]

Summary

• add a queued security settings notification mail for TOTP and passkey changes
• send notifications when TOTP is enabled, disabled, or recovery codes are regenerated, and when passkeys are added or removed
• document the local smtp4dev setup and add functional coverage for the new notification flows

Testing

• npm run lint
• npm run typecheck
• node ace test --files tests/functional/profile/totp.spec.ts --files tests/functional/profile/webauthn.spec.ts

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's security posture by introducing automated email notifications for critical changes to a user's security settings. Users will now receive immediate alerts when their TOTP status changes or recovery codes are regenerated, and when passkeys are added or removed, providing an important layer of awareness and protection against unauthorized account modifications.

Highlights

• Email Notifications for TOTP Changes: Implemented email notifications to users when their Two-Factor Authentication (TOTP) is enabled, disabled, or when their recovery codes are regenerated.
• Email Notifications for Passkey Changes: Introduced email notifications to users when passkeys are added to or removed from their account.
• Documentation Update: Updated the README.example.md with instructions for setting up and using smtp4dev for local email testing, including necessary environment variables and how to run the mail queue listener.
• Functional Test Coverage: Added comprehensive functional tests to verify the correct queuing and content of security settings change notification emails for both TOTP and WebAuthn (passkey) actions.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• README.example.md
  • Added documentation for mail environment variables (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, MAIL_FROM_ADDRESS, MAIL_FROM_NAME).
  • Included instructions for local smtp4dev setup and running the mail queue listener.
• app/controllers/profile/totp_controller.ts
  • Imported queueSecuritySettingsChangedMail service.
  • Added calls to queueSecuritySettingsChangedMail when TOTP is enabled, disabled, and when recovery codes are regenerated.
• app/controllers/profile/webauthn_controller.ts
  • Imported queueSecuritySettingsChangedMail service.
  • Modified passkey registration to return the id of the inserted credential.
  • Added calls to queueSecuritySettingsChangedMail when a passkey is successfully added or removed.
• app/mails/security_settings_changed.ts
  • Created a new mail class SecuritySettingsChangedMail to handle various security notification types (TOTP enabled/disabled/recovery codes regenerated, passkey added/removed).
  • Defined content generation logic (subject, summary, detail) based on the type of security change.
• app/services/security_settings_notifications.ts
  • Created a new service queueSecuritySettingsChangedMail to encapsulate the logic for queuing security notification emails, including error handling.
• config/mail.ts
  • Configured the default from address and name for outgoing emails using new environment variables MAIL_FROM_ADDRESS and MAIL_FROM_NAME.
• start/env.ts
  • Added schema definitions for MAIL_FROM_ADDRESS and MAIL_FROM_NAME environment variables.
• tests/functional/profile/totp.spec.ts
  • Added new functional tests to assert that emails are correctly queued when TOTP is enabled, disabled, and recovery codes are regenerated.
• tests/functional/profile/webauthn.spec.ts
  • Added new functional tests to assert that emails are correctly queued when a passkey is added and removed.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an important security feature: notifying users via email about changes to their security settings, such as TOTP and passkey modifications. The implementation correctly uses a queued job for sending emails, preventing request blocking and improving resilience. The changes are well-structured, include comprehensive functional tests, and update the project documentation. I have one suggestion to improve the maintainability of the new mailer component.

[davideluque]

@copilot review

[Copilot]

@davideluque I've opened a new pull request, #449, to work on those changes. Once the pull request is ready, I'll request review from you.

[davideluque]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a valuable security feature by notifying users of changes to their security settings, such as TOTP and passkey modifications. The implementation is well-structured, utilizing a dedicated mailer and service for queuing notifications. The changes are accompanied by thorough documentation and test coverage. My review focuses on simplifying the test setup by removing redundant code and leveraging the global test configuration, which will improve maintainability.

[davideluque]

I am in doubt if the changes made to this file are necessary.

[davideluque]

Same as https://github.com/abtion/adonisjs-template/pull/448/changes#r2941336315

[davideluque]

Did we not include the happy path here because it is tested in the other tests? What happens if the other tests are removed? Does the service become untested? I see it can be DRY to test the happy path in other tests, so we avoid testing the same path many times. At the same time, I am in doubt about the benefit when this service is isolated. Of course, this is not a super complex feature, so it might be okay to leave this service untested if the other tests are removed, but I still want to clear up my doubts.

[davideluque]

Same question as in: https://github.com/abtion/adonisjs-template/pull/448/changes#r2941373940

[davideluque]

Look into how we do mail stubbing in DMG and compare the two