[SECURITY] Notify users about account security changes

- Currently if the password, primary mail, TOTP or security keys are
changed, no notification is made of that and makes compromising an
account a bit easier as it's essentially undetectable until the original
person tries to log in. Although other changes should be made as
well (re-authing before allowing a password change), this should go a
long way of improving the account security in Forgejo.
- Adds a mail notification for password and primary mail changes. For
the primary mail change, a mail notification is sent to the old primary
mail.
- Add a mail notification when TOTP or a security keys is removed, if no
other 2FA method is configured the mail will also contain that 2FA is
no longer needed to log into their account.
- `MakeEmailAddressPrimary` is refactored to the user service package,
as it now involves calling the mailer service.
- Unit tests added.
- Integration tests added.

tests/integration/user_test.go

@@ -7,6 +7,7 @@ package integration
 import (
 	"fmt"
 	"net/http"
+	"strconv"
 	"strings"
 	"testing"
 
@@ -20,6 +21,7 @@ import (
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/modules/translation"
+	"code.gitea.io/gitea/services/mailer"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -608,3 +610,140 @@ func TestUserPronouns(t *testing.T) {
 		assert.EqualValues(t, userName, "user2")
 	})
 }
+
+func TestUserTOTPMail(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	session := loginUser(t, user.Name)
+
+	t.Run("No security keys", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		called := false
+		defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+			assert.Len(t, msgs, 1)
+			assert.Equal(t, user.EmailTo(), msgs[0].To)
+			assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.totp_disabled.subject"), msgs[0].Subject)
+			assert.Contains(t, msgs[0].Body, translation.NewLocale("en-US").Tr("mail.totp_disabled.no_2fa"))
+			called = true
+		})()
+
+		unittest.AssertSuccessfulInsert(t, &auth_model.TwoFactor{UID: user.ID})
+		req := NewRequestWithValues(t, "POST", "/user/settings/security/two_factor/disable", map[string]string{
+			"_csrf": GetCSRF(t, session, "/user/settings/security"),
+		})
+		session.MakeRequest(t, req, http.StatusSeeOther)
+
+		assert.True(t, called)
+		unittest.AssertExistsIf(t, false, &auth_model.TwoFactor{UID: user.ID})
+	})
+
+	t.Run("with security keys", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		called := false
+		defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+			assert.Len(t, msgs, 1)
+			assert.Equal(t, user.EmailTo(), msgs[0].To)
+			assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.totp_disabled.subject"), msgs[0].Subject)
+			assert.NotContains(t, msgs[0].Body, translation.NewLocale("en-US").Tr("mail.totp_disabled.no_2fa"))
+			called = true
+		})()
+
+		unittest.AssertSuccessfulInsert(t, &auth_model.TwoFactor{UID: user.ID})
+		unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID})
+		req := NewRequestWithValues(t, "POST", "/user/settings/security/two_factor/disable", map[string]string{
+			"_csrf": GetCSRF(t, session, "/user/settings/security"),
+		})
+		session.MakeRequest(t, req, http.StatusSeeOther)
+
+		assert.True(t, called)
+		unittest.AssertExistsIf(t, false, &auth_model.TwoFactor{UID: user.ID})
+	})
+}
+
+func TestUserSecurityKeyMail(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	session := loginUser(t, user.Name)
+
+	t.Run("Normal", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		called := false
+		defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+			assert.Len(t, msgs, 1)
+			assert.Equal(t, user.EmailTo(), msgs[0].To)
+			assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.removed_security_key.subject"), msgs[0].Subject)
+			assert.Contains(t, msgs[0].Body, translation.NewLocale("en-US").Tr("mail.removed_security_key.no_2fa"))
+			assert.Contains(t, msgs[0].Body, "Little Bobby Tables's primary key")
+			called = true
+		})()
+
+		unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID, Name: "Little Bobby Tables's primary key"})
+		id := unittest.AssertExistsAndLoadBean(t, &auth_model.WebAuthnCredential{UserID: user.ID}).ID
+		req := NewRequestWithValues(t, "POST", "/user/settings/security/webauthn/delete", map[string]string{
+			"_csrf": GetCSRF(t, session, "/user/settings/security"),
+			"id":    strconv.FormatInt(id, 10),
+		})
+		session.MakeRequest(t, req, http.StatusOK)
+
+		assert.True(t, called)
+		unittest.AssertExistsIf(t, false, &auth_model.WebAuthnCredential{UserID: user.ID})
+	})
+
+	t.Run("With TOTP", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		called := false
+		defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+			assert.Len(t, msgs, 1)
+			assert.Equal(t, user.EmailTo(), msgs[0].To)
+			assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.removed_security_key.subject"), msgs[0].Subject)
+			assert.NotContains(t, msgs[0].Body, translation.NewLocale("en-US").Tr("mail.removed_security_key.no_2fa"))
+			assert.Contains(t, msgs[0].Body, "Little Bobby Tables's primary key")
+			called = true
+		})()
+
+		unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID, Name: "Little Bobby Tables's primary key"})
+		id := unittest.AssertExistsAndLoadBean(t, &auth_model.WebAuthnCredential{UserID: user.ID}).ID
+		unittest.AssertSuccessfulInsert(t, &auth_model.TwoFactor{UID: user.ID})
+		req := NewRequestWithValues(t, "POST", "/user/settings/security/webauthn/delete", map[string]string{
+			"_csrf": GetCSRF(t, session, "/user/settings/security"),
+			"id":    strconv.FormatInt(id, 10),
+		})
+		session.MakeRequest(t, req, http.StatusOK)
+
+		assert.True(t, called)
+		unittest.AssertExistsIf(t, false, &auth_model.WebAuthnCredential{UserID: user.ID})
+	})
+
+	t.Run("Two security keys", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		called := false
+		defer test.MockVariableValue(&mailer.SendAsync, func(msgs ...*mailer.Message) {
+			assert.Len(t, msgs, 1)
+			assert.Equal(t, user.EmailTo(), msgs[0].To)
+			assert.EqualValues(t, translation.NewLocale("en-US").Tr("mail.removed_security_key.subject"), msgs[0].Subject)
+			assert.NotContains(t, msgs[0].Body, translation.NewLocale("en-US").Tr("mail.removed_security_key.no_2fa"))
+			assert.Contains(t, msgs[0].Body, "Little Bobby Tables's primary key")
+			called = true
+		})()
+
+		unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID, Name: "Little Bobby Tables's primary key"})
+		id := unittest.AssertExistsAndLoadBean(t, &auth_model.WebAuthnCredential{UserID: user.ID}).ID
+		unittest.AssertSuccessfulInsert(t, &auth_model.WebAuthnCredential{UserID: user.ID, Name: "Little Bobby Tables's evil key"})
+		req := NewRequestWithValues(t, "POST", "/user/settings/security/webauthn/delete", map[string]string{
+			"_csrf": GetCSRF(t, session, "/user/settings/security"),
+			"id":    strconv.FormatInt(id, 10),
+		})
+		session.MakeRequest(t, req, http.StatusOK)
+
+		assert.True(t, called)
+		unittest.AssertExistsIf(t, false, &auth_model.WebAuthnCredential{UserID: user.ID, Name: "Little Bobby Tables's primary key"})
+		unittest.AssertExistsIf(t, true, &auth_model.WebAuthnCredential{UserID: user.ID, Name: "Little Bobby Tables's evil key"})
+	})
+}