[PM-17645] : update email for new email multi factor tokens

[ike-kottlowski]

🎟️ Tracking

PM-17645

📔 Objective

When directing the user through Two Factor and New Device Verification we want to add extra metadata to the email to help the user make an informed decision on the source of the email.

📸 Screenshots

Demo of full functionality

firefox_nv4vw7DVwo.mp4

1. User is prompted with new device verification email
2. User is able to request another new device verification email
3. User is able to login with token
4. User is able to set up email two-factor - NOTE that the verbiage in the set-up email is different.
5. User is able to login with email two-factor authentication - NOTE that the account email is not the same as the two-factor email

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – d143ff53-6e10-48eb-9136-8b0010248012

New Issues (10)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CSRF	/src/Api/Controllers/CollectionsController.cs: 171	details Method Put at line 171 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows... Attack Vector
	CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 87	details Method Put at line 87 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value... Attack Vector
	CSRF	/src/Api/Controllers/CollectionsController.cs: 143	details Method Post at line 143 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
	CSRF	/src/Identity/Controllers/AccountsController.cs: 119	details Method PostRegister at line 119 of /src/Identity/Controllers/AccountsController.cs gets a parameter from a user request from PostRegister. This par... Attack Vector
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 226	details Method UpdateAuthRequestAsync at line 226 of /src/Core/Auth/Services/Implementations/AuthRequestService.cs sends user information outside the appli... Attack Vector
	Privacy_Violation	/src/Core/NotificationHub/NotificationHubPushNotificationService.cs: 308	details Method PushAuthRequestAsync at line 308 of /src/Core/NotificationHub/NotificationHubPushNotificationService.cs sends user information outside the a... Attack Vector
	Log_Forging	/src/Api/Auth/Controllers/AuthRequestsController.cs: 75	details Method Post at line 75 of /src/Api/Auth/Controllers/AuthRequestsController.cs gets user input from element model. This element’s value flows throug... Attack Vector
	Log_Forging	/src/Api/Auth/Controllers/AuthRequestsController.cs: 87	details Method PostAdminRequest at line 87 of /src/Api/Auth/Controllers/AuthRequestsController.cs gets user input from element model. This element’s value ... Attack Vector
	Missing_CSP_Header	/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.html.hbs: 5	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector
	Unsafe_Use_Of_Target_blank	/src/Core/MailTemplates/Handlebars/Auth/TwoFactorEmail.html.hbs: 11	details Using <a target="_blank" clicktracking="off" href="{{{WebVaultUrl}}}" style="-webkit-font-smoothing: antialiased;-webkit-text-size-adjust: none;box... Attack Vector

Fixed Issues (34)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Privacy_Violation	/src/Core/Auth/Services/Implementations/AuthRequestService.cs: 221
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/PayPalController.cs: 70
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/RecoveryController.cs: 38
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164
	Log_Forging	/src/Billing/Controllers/StripeController.cs: 164

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

Attention: Patch coverage is 83.78378% with 6 lines in your changes missing coverage. Please review.

Project coverage is 44.47%. Comparing base (06c96a9) to head (ebfbdac).

Files with missing lines	Patch %	Lines
.../Services/Implementations/HandlebarsMailService.cs	76.92%	2 Missing and 1 partial ⚠️
src/Core/Services/Implementations/UserService.cs	85.71%	0 Missing and 2 partials ⚠️
src/Api/Auth/Controllers/TwoFactorController.cs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5428   +/-   ##
=======================================
  Coverage   44.46%   44.47%           
=======================================
  Files        1511     1512    +1     
  Lines       70266    70294   +28     
  Branches     6342     6345    +3     
=======================================
+ Hits        31245    31264   +19     
- Misses      37679    37684    +5     
- Partials     1342     1346    +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Patrick-Pimentel-Bitwarden]

👍 Changes looks good. One non blocking question. Thank you for the tests and the video.