fix: Email 2FA auto opt in

[yash-rajpal]

Proposed changes (including videos or screenshots)

Upon creating new users, it should respect all settings related to email 2FA Accounts_TwoFactorAuthentication_Enabled, Accounts_TwoFactorAuthentication_By_Email_Enabled and Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In. If one of them is disabled, it should auto opt in new users for email2FA.

Issue(s)

Steps to test or reproduce

• Enable Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In but disable it's parent settings which are - Accounts_TwoFactorAuthentication_By_Email_Enabled and Accounts_TwoFactorAuthentication_Enabled
• Upon creating new users, it auto opts in new users for email 2FA even when parent settings are disabled

Further comments

SUP-866

Summary by CodeRabbit

Bug Fixes

• Fixed email-based two-factor authentication auto-enrollment behavior for newly created users. Previously, new accounts could be auto-enrolled in email 2FA even when certain security settings were disabled. The system now correctly evaluates all related security configurations before automatically enabling email 2FA for new user accounts.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is targeting the wrong base branch. It should target 7.13.0, but it targets 7.12.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 3e12859

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This change fixes a bug where new users were automatically enrolled in email-based two-factor authentication even when prerequisite settings were disabled. The fix implements multi-flag validation: email 2FA auto opt-in now requires three conditions—2FA globally enabled, email 2FA enabled, and auto opt-in enabled—before applying to new users.

Changes

Cohort / File(s)	Change Summary
Changelog \.changeset/lucky-bulldogs-divide\.md	Patch-level release note documenting the fix for improper auto opt-in of new users into email 2FA when related settings were disabled.
Core Fix apps/meteor/app/authentication/server/startup/index\.js	Modified Accounts.insertUserDoc to enforce three-condition gating for email 2FA auto opt-in: Accounts_TwoFactorAuthentication_Enabled, Accounts_TwoFactorAuthentication_By_Email_Enabled, and Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In. Added changedAt timestamp when enabling email 2FA.
Test Suite apps/meteor/tests/end-to-end/api/users\.ts	Added "default email2fa auto opt in configuration" test suite with five tests covering auto opt-in behavior under various flag combinations: all enabled, email 2FA disabled, 2FA disabled, and auto opt-in disabled. Includes cleanup in afterEach hook.

Sequence Diagram

sequenceDiagram
    participant User
    participant API as API/Server
    participant AuthSystem as Authentication System
    participant Settings as Settings Store

    User->>API: Create new user account
    API->>AuthSystem: insertUserDoc()
    AuthSystem->>Settings: Check Accounts_TwoFactorAuthentication_Enabled
    alt Enabled
        AuthSystem->>Settings: Check Accounts_TwoFactorAuthentication_By_Email_Enabled
        alt Enabled
            AuthSystem->>Settings: Check Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In
            alt Enabled
                rect rgba(76, 175, 80, 0.2)
                    Note over AuthSystem: All conditions met
                    AuthSystem->>AuthSystem: Set user.services.email2fa.enabled = true
                    AuthSystem->>AuthSystem: Set changedAt timestamp
                end
            else Disabled
                Note over AuthSystem: Auto opt-in disabled → skip
            end
        else Disabled
            Note over AuthSystem: Email 2FA disabled → skip
        end
    else Disabled
        Note over AuthSystem: 2FA disabled → skip
    end
    AuthSystem->>API: Return user document
    API->>User: User created

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Implementation file (index.js): Verify the multi-flag logic is correctly placed in the user creation flow and that changedAt timestamp is properly set
• Test coverage: Review the five test cases to ensure they comprehensively validate all flag combinations and edge cases
• Changelog accuracy: Confirm the release note accurately describes the fix and affected settings

Suggested reviewers

• ggazzo

Poem

🐰 A user creation tale, now fixed with care,
Three flags must dance, in perfect pair,
No sneaky opt-in, when settings say "nay,"
Email 2FA waits for its proper day! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "fix: Email 2FA auto opt in" is clear, concise, and directly related to the main objective of the changeset. The title specifically identifies that this is a fix for email 2FA auto opt-in behavior, which aligns perfectly with the primary code change in the authentication server that adds multi-flag gating to prevent auto opt-in when parent settings are disabled. The title uses the conventional "fix:" prefix and provides sufficient detail that a developer scanning the repository history would understand the purpose of this change.
Linked Issues Check	✅ Passed	The code changes comprehensively address the requirements from linked issue SUP-866. The main code modification in apps/meteor/app/authentication/server/startup/index.js implements the core fix by requiring three conditions (global 2FA enabled, email 2FA enabled, and auto opt-in enabled) before auto-opting new users into email 2FA, which directly resolves the issue where auto opt-in would activate users even when parent settings were disabled. The accompanying test suite in apps/meteor/tests/end-to-end/api/users.ts validates all four scenarios including auto opt-in success when all settings are enabled and three failure cases when any parent setting is disabled. The changelog entry documents the fix appropriately. All objectives from SUP-866 regarding preventing incorrect auto opt-in behavior and ensuring consistency with parent settings are met.
Out of Scope Changes Check	✅ Passed	All changes in this pull request are directly scoped to addressing the email 2FA auto opt-in issue described in SUP-866. The modifications include the necessary code change to the user document insertion logic, comprehensive end-to-end tests validating the fix with various setting combinations, and an appropriate changelog entry. No alterations to exported or public signatures were detected, and no changes exist outside the scope of fixing this specific issue. The test cleanup using afterEach is properly contained within the new test suite and is necessary for test isolation.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/users-email2FA-auto-opt-in

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.91%. Comparing base (88aa28e) to head (3e12859).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #37326      +/-   ##
===========================================
- Coverage    67.92%   67.91%   -0.02%     
===========================================
  Files         3356     3356              
  Lines       114887   114887              
  Branches     20758    20770      +12     
===========================================
- Hits         78040    78022      -18     
- Misses       34157    34179      +22     
+ Partials      2690     2686       -4     

Flag	Coverage Δ
e2e	57.44% <ø> (+<0.01%)	⬆️
unit	71.97% <ø> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/lucky-bulldogs-divide.md (1)

5-5: Consider hyphenating compound modifiers for clarity.

The static analysis tools suggest hyphenating compound terms for readability:

• "auto opt in" → "auto opt-in"
• "email two factor authentication" → "email two-factor authentication"
• "two factor authentication" → "two-factor authentication"

While the message is clear as written, these hyphenations would align with standard English style guides for compound modifiers.

Apply this diff to improve readability:

-Fixes an issue related to creating new users, it should not auto opt in new users for email two factor authentication if any one of `Accounts_TwoFactorAuthentication_Enabled`, `Accounts_TwoFactorAuthentication_By_Email_Enabled` and `Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In` setting is disabled.
+Fixes an issue related to creating new users. New users should not be auto-opted-in for email two-factor authentication if any one of `Accounts_TwoFactorAuthentication_Enabled`, `Accounts_TwoFactorAuthentication_By_Email_Enabled`, or `Accounts_TwoFactorAuthentication_By_Email_Auto_Opt_In` settings is disabled.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 157c0d1 and b627bc0.

📒 Files selected for processing (3)

• .changeset/lucky-bulldogs-divide.md (1 hunks)
• apps/meteor/app/authentication/server/startup/index.js (1 hunks)
• apps/meteor/tests/end-to-end/api/users.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

apps/meteor/tests/end-to-end/api/users.ts (3)

packages/core-typings/src/IUser.ts (1)

• IUser (186-255)

apps/meteor/tests/data/users.helper.ts (2)

• deleteUser (55-62)
• login (39-53)

apps/meteor/tests/data/api-data.ts (2)

• request (10-10)
• credentials (39-42)

🪛 LanguageTool

.changeset/lucky-bulldogs-divide.md

[grammar] ~5-~5: Use a hyphen to join words.
Context: ...o creating new users, it should not auto opt in new users for email two factor au...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~5-~5: Use a hyphen to join words.
Context: ...eating new users, it should not auto opt in new users for email two factor authen...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~5-~5: Use a hyphen to join words.
Context: ... not auto opt in new users for email two factor authentication if any one of `Acc...

(QB_NEW_EN_HYPHEN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (2)

apps/meteor/app/authentication/server/startup/index.js (1)

310-320: LGTM! Multi-flag validation correctly implemented.

The three-flag check properly gates email 2FA auto opt-in by requiring all conditions to be met:

1. Global 2FA enabled
2. Email-based 2FA enabled
3. Email 2FA auto opt-in enabled

This fixes the issue where enabling Auto_Opt_In while parent settings were disabled incorrectly opted in new users. The addition of the changedAt timestamp is also a good practice for tracking when the setting was applied.

apps/meteor/tests/end-to-end/api/users.ts (1)

697-829: LGTM! Comprehensive test coverage for multi-flag validation.

The test suite thoroughly validates the email 2FA auto opt-in behavior:

• ✅ Baseline: Auto opt-in when all flags enabled
• ✅ Guard: No opt-in when email 2FA disabled
• ✅ Guard: No opt-in when global 2FA disabled
• ✅ Guard: No opt-in when auto opt-in disabled

The test structure is well-organized with:

• Proper cleanup in afterEach to reset settings and delete test users
• Consistent verification pattern across all test cases
• Clear test descriptions matching the expected behavior

[reetp]

Yash, can you check issues for '2FA' and link them as I think there are a couple this will fix?

https://github.com/RocketChat/Rocket.Chat/issues?q=is%3Aissue%20state%3Aopen%202fa

Possibly 35528, and others?