[PM-22323] Do not show 2FA warning for 2FA setup and login emails

[trmartin4]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-22323

📔 Objective

When we consolidated all 2FA token emails into one template for maintenance purposes as a part of New Device Verification, we added a line instructing users to "Turn on two-step login".

However, on some of the flows that use this email, users are turning on two-step login (or have already done so), so this instruction doesn't make sense.

This PR does two major things to fix this:

1. Creates a new TwoFactorEmailService, pulling the methods off of the UserService and into their own service. The methods themselves did not change, with the exception of ResendNewDeviceVerificationEmail (see below). The interface of this service allows the sending of:

• Two Factor Email
• Two Factor Setup Email
• New Device Verification Email

3. Refactored responsibility of the ResendNewDeviceVerificationEmail method. Previously, an email was passed in, and it was the responsibility of the UserService to look up the email and validate the secret. However, that changes the interface from the other methods, which all accept a (validated) User. I opted to pull that logic out of the UserService and instead of moving it to the TwoFactorEmailService I moved it into the AccountsController. This mirrors the responsibility of other methods there as well, who validate secrets and call services. I moved the relevant tests there as well.
4. Introduced a TwoFactorEmailPurpose enum to pass from the TwoFactorEmailService into the MailService to convey why the email was sent, with only the NewDeviceVerification purpose displaying the 2FA reminder.

📸 Screenshots

2FA setup

setup_2fa_email.mov

2FA code entry

send_2fa_email.mov

New device verification code entry

new_device_verification_email.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 0e533bc2-5c1b-4f6d-991e-6a049d63e8ab

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Vault/Controllers/SecurityTaskController.cs: 60

[codecov]

Codecov Report

Attention: Patch coverage is 77.46479% with 16 lines in your changes missing coverage. Please review.

Project coverage is 47.87%. Comparing base (74964bf) to head (26d436a).
Report is 32 commits behind head on main.

Files with missing lines	Patch %	Lines
.../Services/Implementations/TwoFactorEmailService.cs	84.78%	5 Missing and 2 partials ⚠️
src/Api/Auth/Controllers/TwoFactorController.cs	42.85%	4 Missing ⚠️
.../Services/Implementations/HandlebarsMailService.cs	0.00%	4 Missing ⚠️
...c/Core/Models/Mail/TwoFactorEmailTokenViewModel.cs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5964      +/-   ##
==========================================
+ Coverage   47.72%   47.87%   +0.15%     
==========================================
  Files        1692     1703      +11     
  Lines       74972    75555     +583     
  Branches     6758     6798      +40     
==========================================
+ Hits        35777    36169     +392     
- Misses      37739    37919     +180     
- Partials     1456     1467      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ike-kottlowski]

Overall looks good, just a few nitpicks.

[ike-kottlowski]

I like the idea of explicit call sites, but since that's the case I would like to tighten up the implementation to reduce redundancies.

Suggestions are untested.

[trmartin4]

Addressed all the feedback, with the exception of removing Task.Delay(), which we will revisit separately based on discussions internally.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud