[SEC] Notify owner about TOTP enrollment

- In the spirit of #4635
- Notify the owner when their account is getting enrolled into TOTP. The
message is changed according if they have security keys or not.
- Integration test added.

1 files changed, 34 insertions, 0 deletions

diff --git a/services/mailer/mail.go b/services/mailer/mail.go
index 87df3d1397..01ab84bcf5 100644
--- a/services/mailer/mail.go
+++ b/services/mailer/mail.go
@@ -44,6 +44,7 @@ const (
 	mailAuthPrimaryMailChange  base.TplName = "auth/primary_mail_change"
 	mailAuth2faDisabled        base.TplName = "auth/2fa_disabled"
 	mailAuthRemovedSecurityKey base.TplName = "auth/removed_security_key"
+	mailAuthTOTPEnrolled       base.TplName = "auth/totp_enrolled"
 
 	mailNotifyCollaborator base.TplName = "notify/collaborator"
 
@@ -696,3 +697,36 @@ func SendRemovedSecurityKey(ctx context.Context, u *user_model.User, securityKey
 	SendAsync(msg)
 	return nil
 }
+
+// SendTOTPEnrolled informs the user that they've been enrolled into TOTP.
+func SendTOTPEnrolled(ctx context.Context, u *user_model.User) error {
+	if setting.MailService == nil {
+		return nil
+	}
+	locale := translation.NewLocale(u.Language)
+
+	hasWebAuthn, err := auth_model.HasWebAuthnRegistrationsByUID(ctx, u.ID)
+	if err != nil {
+		return err
+	}
+
+	data := map[string]any{
+		"locale":      locale,
+		"HasWebAuthn": hasWebAuthn,
+		"DisplayName": u.DisplayName(),
+		"Username":    u.Name,
+		"Language":    locale.Language(),
+	}
+
+	var content bytes.Buffer
+
+	if err := bodyTemplates.ExecuteTemplate(&content, string(mailAuthTOTPEnrolled), data); err != nil {
+		return err
+	}
+
+	msg := NewMessage(u.EmailTo(), locale.TrString("mail.totp_enrolled.subject"), content.String())
+	msg.Info = fmt.Sprintf("UID: %d, enrolled into TOTP notification", u.ID)
+
+	SendAsync(msg)
+	return nil
+}