Skip to content

HOLD: Add email change notifications and password change tracking#1313

Open
maebeale wants to merge 2 commits intomainfrom
maebeale/email-password-events
Open

HOLD: Add email change notifications and password change tracking#1313
maebeale wants to merge 2 commits intomainfrom
maebeale/email-password-events

Conversation

@maebeale
Copy link
Collaborator

@maebeale maebeale commented Mar 2, 2026

What is the goal of this PR and why is this important?

  • Track email change and password change events with notification records and ahoy events so they appear in the admin user activity feed and notification log

How did you approach the change?

  • Add account_email_change_requested notification kind — created in DeviseMailer when a reconfirmation email is sent (distinct from initial account_confirmation)
  • Add account_email_changed notification kind — created via after_commit on User when the email column actually changes after confirmation
  • Track auth.email_change_requested_email_sent ahoy event in DeviseMailer for reconfirmation emails
  • Track auth.password_changed ahoy event via User model callback (saved_change_to_encrypted_password?) so all password change paths are covered (user self-service, Devise reset, admin edit)
  • Add DeviseMailer spec covering notification creation and ahoy event tracking for all Devise email types (confirmation, reconfirmation, reset password, unlock)
  • Add User model specs for track_password_changed, create_email_changed_notification, and track_email_change
  • Add Notification model specs for new KINDS validation

Anything else to add?

  • account_email_change_requested uses unconfirmed_email as recipient (the new address), while account_email_changed uses the confirmed new email
  • Both new notification kinds use deliver: false — no separate emails are sent, they serve as audit records
  • The auth.password_changed model callback may fire alongside existing controller-level tracking in UsersController#update_password and PasswordsController#update; the model callback ensures admin-initiated password changes are also tracked

🤖 Generated with Claude Code

maebeale and others added 2 commits March 2, 2026 17:46
@maebeale @claude
Add email change notifications and password change ahoy tracking
feba821 
- Add account_email_change_requested notification when Devise sends
  reconfirmation email (distinct from initial account_confirmation)
- Add account_email_changed notification (after_commit) when email
  actually changes after confirmation
- Track auth.email_change_requested_email_sent ahoy event for
  reconfirmation emails (shows in user activity feed)
- Track auth.password_changed ahoy event via User model callback
  so all password change paths are covered
- Add DeviseMailer, Notification, and User model specs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@maebeale @claude
Remove unlock_instructions tests (no unlock route)
38e2b79 
App uses unlock_strategy: :none so user_unlock_url doesn't exist
and the Devise unlock view can't render in tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@maebeale maebeale changed the title Add email change notifications and password change tracking HOLD: Add email change notifications and password change tracking Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maebeale