Add Security Notifications

[irby]

Description

Addresses issue #1030 to introduce security notifications to the Hanko backend.

Implementation

By default, this enhancement will enable all security notifications until the notifications are disabled via the config. Each notification type has its own toggle to enable / disable the notification.

These are the security notification types added:

• email added to account
• email deleted from account
• primary email address updated
• passkey created
• password updated
• mfa enabled
• mfa disabled

Whenever a notification is sent to the end user, an audit log is recorded noting the type of notification sent and the email address the notification was sent to.

Tests

Besides from some unit tests around default configuration and disabled configurations, there are not any automated tests that address these changes, as I had quite a bit of difficulty with getting unit tests to work with the flow api.

I did manually test all the various security notifications and confirmed they all work as expected.

[FlxMgdnz]

Thank you @irby 🙏🏼

[lfleischmann]

Currently, I only receive an "MFA enabled" notification when either an OTP secret or a security key is registered for the very first time or an "MFA disabled" notification when all second factors have been removed, but I do not receive notifications for

• removing a second factor when it is not the last one
• adding additional security keys
• adding an OTP secret when there already is a security key registered

But I think there should be notifications for these cases. What do you think @FlxMgdnz ?

[lfleischmann]

JSON schema default should probably be true since all of these are set to true in the default config, no?

Suggested change

	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=false"`
	Enabled bool `yaml:"enabled" json:"enabled,omitempty" koanf:"enabled" jsonschema:"default=true"`

[irby]

Yes, that should be made. Initially I made the config default to false but talking to Felix we decided to make this default to true, didn't make this change here after the fact. Will update.

[lfleischmann]

I get this message when I already have an account registered and I add a passkey through the profile, so it is not the account that has been registered but the passkey itself, but I do not get this message when creating an account and registering a passkey during registration. I think the other value for the subject is a better fit.

The same holds true for the german text. Not sure about the other languages though.

[FlxMgdnz]

We should rephrase the message slightly to avoid any misunderstandings. A security notification should never be sent during the registration flow.

Proposed wording:
“A new passkey has been added to your {{ .ServiceName }} account.”

[lfleischmann]

See the comment for the english texts.

[FlxMgdnz]

"Ein neuer Passkey wurde zu Ihrem {{ .ServiceName }}-Konto hinzugefügt."

[irby]

Will update the translation for all locales.

[FlxMgdnz]

Currently, I only receive an "MFA enabled" notification when either an OTP secret or a security key is registered for the very first time or an "MFA disabled" notification when all second factors have been removed, but I do not receive notifications for

• removing a second factor when it is not the last one
• adding additional security keys
• adding an OTP secret when there already is a security key registered

But I think there should be notifications for these cases. What do you think @FlxMgdnz ?

We discussed this internally again and think it would indeed be better to always send a security notification whenever a second factor is added or removed, instead of using the “2FA enabled” or “2FA disabled” notifications.

Overall, the more granular notifications add an extra layer of security. For example, a compromised account where an attacker adds an additional second factor would otherwise go unnoticed.

Sorry @irby that I initially said this differently. Could you still make this change?

[irby]

Hey @FlxMgdnz, yes, I can make the changes. I will be on vacation for the holidays starting tomorrow so it may be after the New Year before I get the updates in.