feat : Enforce Mfa email notifications (M2-10254) #1988
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
divbzero
requested changes
Dec 30, 2025
Contributor
divbzero
left a comment
divbzero
left a comment
There was a problem hiding this comment.
No major concerns on this PR either. Please take a close look at lockout_until and maybe consider changing where we add current_year to templates.
divbzero
approved these changes
Dec 31, 2025
Contributor
divbzero
left a comment
divbzero
left a comment
There was a problem hiding this comment.
Changes look good, thanks @sricharan-varanasi!
- Add 3 new notification methods to MFANotificationService: * send_mfa_enabled_notification() * send_failed_attempts_warning() - After 5 failed login attempts * send_disable_failed_attempts_warning() - On failed MFA disable attempt
sricharan-varanasi
force-pushed
the
mfa-email-notifications
branch
from
8fee7b2 to
668f596
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📝 Description
🔗 Jira Ticket M2-10254
This PR implements a comprehensive email notification system for Multi-Factor Authentication (MFA) events, providing users with real-time security alerts and awareness of authentication activities on their account.
Changes include:
MFA Notification Service: New
MFANotificationServicewith 9 notification types:Email Templates: 9 professional HTML email templates in
src/apps/shared/static/templates/mfa/:Request Metadata Tracking: Captures user metadata for security notifications
Configuration-Driven: All settings configurable via environment variables:
MFA__ENABLE_EMAIL_NOTIFICATIONS: Feature flag (default: true)MFA__RECOVERY_CODE_COUNT: Number of codes to generate (default: 10)MFA__FAILED_ATTEMPTS_WARNING_THRESHOLD: Failed attempt warning threshold (default: 5)MFA__DISABLE_FAILED_ATTEMPTS_WARNING_THRESHOLD: Disable attempt warning (default: 1)MFA__LAST_RECOVERY_CODE_WARNING_THRESHOLD: Low codes warning (default: 1)Helper Utilities:
mfa_helpers.py: Request metadata extractionsend_recovery_code_notifications(): Centralized recovery code notification logicIntegration Points: Notifications integrated into:
🪤 Peer Testing
Requires
pipenv shellTest 1: MFA Enable Notification
Create a new user account or use an existing test account
Initiate MFA setup via
POST /users/me/mfa/totp/initiateComplete MFA setup via
POST /users/me/mfa/totp/verifywith valid TOTP codeExpected outcome: Receive "MFA Enabled" email with:
Test 2: Recovery Code Usage Notification
Enable MFA on test account (if not already enabled)
Use a recovery code to authenticate (simulate TOTP unavailability)
Check email inbox
Expected outcome: Receive "Recovery Code Used" email
Test 3: Failed Authentication Attempts Warning
Enable MFA on test account
Attempt MFA verification with invalid TOTP codes 5 times (or configured threshold)
Expected outcome: Receive "Failed Authentication Attempts" warning email after threshold is reached
Test 4: MFA Disable Notification
Disable MFA via
POST /users/me/mfa/totp/disable/verifyCheck email inbox
Expected outcome: Receive "MFA Disabled" email
Test 5: Feature Flag (Disable Notifications)
Set environment variable:
MFA__ENABLE_EMAIL_NOTIFICATIONS=falseRestart the application
Perform any MFA action (enable, disable, use recovery code, etc.)
Expected outcome:
Test 6: Account Lockout Notification
Enable MFA on test account
Exceed global lockout threshold (default: 10 failed attempts within cooldown period)
Expected outcome: Receive "Account Locked" CRITICAL email with:
✏️ Notes
src/apps/shared/static/templates/mfa/andsrc/apps/shared/static/subjects/mfa/config/mfa.pybut can be overridden via environment variablesRelated Files:
src/apps/authentication/services/mfa_notifications.pysrc/apps/authentication/tasks.pysrc/config/mfa.pysrc/apps/authentication/services/mfa_helpers.pysrc/apps/shared/static/templates/mfa/*.html