feat(admin): add UI warning for concurrent 2FA priority

[Its-Onkar]

Description

This PR adds clarification text to the Two Factor Authentication settings in the Admin panel to inform administrators that TOTP takes priority when both authentication methods are enabled.

Motivation

When both TOTP and Email 2FA are enabled simultaneously, only TOTP verification is prompted during login. The Email 2FA step is automatically skipped due to the backend's method selection logic. This behavior is not currently communicated in the UI, which can lead to security misconfigurations where admins expect both layers to be active (Closes #35528).

This PR adds a non-intrusive hint to the settings to manage administrator expectations without altering the underlying authentication flow.

Changes

• Settings Definition: Added i18nDescription fields to Accounts_TwoFactorAuthentication_By_TOTP_Enabled and Accounts_TwoFactorAuthentication_By_Email_Enabled.
• Translations: Added English strings clarifying the priority logic for both settings.

How to Test

1. Log in as an administrator.
2. Navigate to Administration → Settings → Accounts → Two Factor Authentication.
3. Verify that the new hint text appears under both the TOTP and Email 2FA toggles.

Screenshots

Summary by CodeRabbit

• Documentation
  • Added descriptive text for two admin 2FA settings, clarifying that when both methods are enabled, TOTP takes priority over Email-based 2FA.
• Chores
  • Added a changeset and applied patch bumps to record the 2FA description updates.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 2d0ebed

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/i18n	Patch
@rocket.chat/meteor	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/livechat	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/http-router	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

Added i18nDescription fields to two Two-Factor Authentication account settings and updated English locale descriptions to clarify that TOTP takes precedence over Email 2FA when both are enabled. Added a changeset and two git-rewrite reference files.

Changes

Cohort / File(s)	Summary
Settings metadata apps/meteor/server/settings/accounts.ts	Added i18nDescription keys for Accounts_TwoFactorAuthentication_By_TOTP_Enabled and Accounts_TwoFactorAuthentication_By_Email_Enabled.
English locale strings packages/i18n/src/locales/en.i18n.json	Appended precedence notes to Accounts_TwoFactorAuthentication_By_TOTP_Enabled_Description and Accounts_TwoFactorAuthentication_By_Email_Enabled_Description indicating TOTP takes priority over Email 2FA.
Changeset .changeset/sixty-cooks-call.md	Added changeset bumping @rocket.chat/i18n and @rocket.chat/meteor to patch and documenting the 2FA precedence clarification.
Repository refs (data files) .git-rewrite/heads, .git-rewrite/raw-refs	Added files enumerating git refs/tags and branch names (pure data population, no code changes).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• lucas-a-pelegrino
• KevLehman

Poem

🐰 I nibbled notes in settings' light,

TOTP hops first — a clear delight,
A tiny sign for admins' view,
So choices know just what to do,
🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	Changes to .git-rewrite files appear to be git metadata and are outside the scope of the feature objectives; however, they may be infrastructure-related or auto-generated artifacts.	Clarify whether .git-rewrite/heads and .git-rewrite/raw-refs are necessary for this feature or if they should be excluded from the commit.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(admin): add UI warning for concurrent 2FA priority' accurately summarizes the main change: adding UI clarification about 2FA priority in admin settings.
Linked Issues check	✅ Passed	The PR implements the requested solution from #35528 by clarifying in the UI that TOTP takes priority when both TOTP and Email 2FA are enabled, matching the stated objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/i18n/src/locales/en.i18n.json (1)

372-375: TOTP priority clarification looks correct; consider tiny wording polish

The new notes on both descriptions clearly and accurately state that TOTP takes priority and Email 2FA will not be used when TOTP is enabled, which matches the described backend behavior and should reduce admin confusion.

If you want to nit-pick wording while you’re here, you could change “Users can setup their Two Factor Authentication…” to “Users can set up their two-factor authentication…” for grammatical correctness and consistency, but that’s optional.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c805070 and 45369c3.

📒 Files selected for processing (2)

• apps/meteor/server/settings/accounts.ts
• packages/i18n/src/locales/en.i18n.json

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/settings/accounts.ts

🔇 Additional comments (2)

apps/meteor/server/settings/accounts.ts (2)

29-34: LGTM! Email 2FA i18n key is properly translated across all locales.

The i18nDescription key is verified across 25+ language files, creating consistent UI hints for both authentication methods. The translations include priority notes explaining TOTP's precedence when enabled.

---

22-27: LGTM! i18nDescription follows established pattern.

The addition of i18nDescription follows the existing convention used throughout this file and properly references the translation key.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/sixty-cooks-call.md (1)

6-6: Make the changeset description more specific for clarity.

The description "Add clarification note for 2FA priority logic in admin settings" is somewhat generic. Consider revising it to explicitly mention that the change adds i18nDescription fields clarifying that TOTP takes priority over Email 2FA. This provides better context for reviewers reading the changelog.

Example revision: "Add i18nDescription fields to 2FA settings clarifying that TOTP takes priority over Email authentication"

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 45369c3 and 2703a03.

📒 Files selected for processing (1)

• .changeset/sixty-cooks-call.md

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-11-19T12:32:29.696Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 37547
File: packages/i18n/src/locales/en.i18n.json:634-634
Timestamp: 2025-11-19T12:32:29.696Z
Learning: Repo: RocketChat/Rocket.Chat
Context: i18n workflow
Learning: In this repository, new translation keys should be added to packages/i18n/src/locales/en.i18n.json only; other locale files are populated via the external translation pipeline and/or fall back to English. Do not request adding the same key to all locale files in future reviews.

Applied to files:

• .changeset/sixty-cooks-call.md

📚 Learning: 2025-11-19T18:20:07.720Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 37419
File: packages/i18n/src/locales/en.i18n.json:918-921
Timestamp: 2025-11-19T18:20:07.720Z
Learning: Repo: RocketChat/Rocket.Chat — i18n/formatting
Learning: This repository uses a custom message formatting parser in UI blocks/messages; do not assume standard Markdown rules. For keys like Call_ended_bold, Call_not_answered_bold, Call_failed_bold, and Call_transferred_bold in packages/i18n/src/locales/en.i18n.json, retain the existing single-asterisk emphasis unless maintainers request otherwise.

Applied to files:

• .changeset/sixty-cooks-call.md

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/i18n/src/locales/en.i18n.json (1)

372-374: 2FA precedence copy is correct; optional microcopy alignment

The new notes accurately communicate that TOTP takes precedence and Email 2FA is skipped when both are enabled, matching the intended behavior and the linked issue.

If you want to tighten and align the two hints further (optional only), you could make the TOTP note explicitly mirror the email one, e.g.:

Optional wording tweak

- "Accounts_TwoFactorAuthentication_By_TOTP_Enabled_Description": "Users can setup their Two Factor Authentication using any TOTP App, like Google Authenticator or Authy. Note: When TOTP is enabled for a user, it takes priority over Email 2FA.",
+ "Accounts_TwoFactorAuthentication_By_TOTP_Enabled_Description": "Users can setup their Two Factor Authentication using any TOTP App, like Google Authenticator or Authy. Note: If Email 2FA is also enabled, TOTP takes priority and Email 2FA will not be used."

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c83586a and 2d0ebed.

📒 Files selected for processing (6)

• .changeset/sixty-cooks-call.md
• .git-rewrite/backup-refs
• .git-rewrite/heads
• .git-rewrite/raw-refs
• apps/meteor/server/settings/accounts.ts
• packages/i18n/src/locales/en.i18n.json

✅ Files skipped from review due to trivial changes (2)

• .git-rewrite/raw-refs
• .git-rewrite/heads

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/meteor/server/settings/accounts.ts
• .changeset/sixty-cooks-call.md