feat: security settings persistence

[suraj719]

Description

Implemented persistent storage for security settings in the user settings page. Previously, the security settings page had a TODO comment and used a fake setTimeout that only logged values to console without actually saving to the database. This PR adds real database integration for the security settings, making them consistent with other settings pages in the application.

---

Type of Change

Please delete options that are not relevant.

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature with breaking changes)
• 📝 Documentation update
• 🎨 UI/UX improvement
• 🔒 Security enhancement
• ⚡ Performance improvement

Areas Affected

Please check all that apply:

• Email Integration (Gmail, IMAP, etc.)
• User Interface/Experience
• Authentication/Authorization
• Data Storage/Management
• API Endpoints
• Documentation
• Testing Infrastructure
• Development Workflow
• Deployment/Infrastructure

Testing Done

Describe the tests you've done:

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• Cross-browser testing (if UI changes)
• Mobile responsiveness verified (if UI changes)

Security Considerations

For changes involving data or authentication:

• No sensitive data is exposed
• Authentication checks are in place
• Input validation is implemented
• Rate limiting is considered (if applicable)

Checklist

• I have read the CONTRIBUTING document
• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have commented my code, particularly in complex areas
• I have updated the documentation
• My changes generate no new warnings
• I have added tests that prove my fix/feature works
• All tests pass locally
• Any dependent changes are merged and published

Additional Notes

This implementation follows the same patterns used in other settings pages (appearance, general, privacy) to maintain consistency across the codebase. The security settings now properly persist user preferences and provide real-time feedback during save operations.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the project's license.

---

Summary by cubic

Persist security settings to the database and load them on page open. Replaces the fake save with TRPC + React Query, with optimistic updates and error handling.

• New Features
  • Added twoFactorAuth and loginNotifications to user settings schema (defaults: false/true).
  • Load current settings via trpc.settings.get and initialize the form.
  • Save via trpc.settings.save with optimistic update, rollback on error, and success/error toasts.
  • Disable switches and Save button while loading or saving.

Summary by CodeRabbit

• New Features
  • Added Two-Factor Authentication and Login Notifications toggles in Security settings.
  • Security settings now load from your account and save changes seamlessly, with instant (optimistic) UI updates.
  • Clear success and error toasts provide feedback after saving.
  • Inputs and switches are disabled while loading or saving to prevent accidental changes; the Save button reflects loading/saving states.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds TRPC-backed fetch and save of security settings to the Mail app’s Security page with React Query, optimistic updates, loading/disabled states, and toasts. Server schema gains two boolean fields (twoFactorAuth, loginNotifications) and corresponding defaults in user settings.

Changes

Cohort / File(s)	Summary
Security settings UI integration apps/mail/app/(routes)/settings/security/page.tsx	Wires useQuery/useMutation via TRPC to load and update user security settings; initializes form with defaults and resets on load; adds optimistic cache update with rollback on error; adds loading/saving disable states and success/error toasts.
User settings schema updates apps/server/src/lib/schemas.ts	Extends userSettingsSchema and defaultUserSettings with twoFactorAuth: boolean=false and loginNotifications: boolean=true.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor U as User
  participant P as SecurityPage (React)
  participant Q as React Query Cache
  participant T as TRPC Server
  participant D as DB

  rect rgba(200,230,255,0.3)
    U->>P: Navigate to Security Settings
    P->>T: getUserSettings()
    T->>D: Read settings
    D-->>T: Settings
    T-->>P: Settings
    P->>Q: cache set (settings)
    P-->>U: Render form (disabled while loading)
  end

  rect rgba(200,255,200,0.3)
    U->>P: Submit changes
    P->>Q: Optimistic update (save snapshot)
    P->>T: updateUserSettings(changes)
    T->>D: Persist changes
    D-->>T: OK
    T-->>P: Success
    P-->>U: Show success toast
  end

  rect rgba(255,220,220,0.4)
    note over P,T: Error path
    T-->>P: Error
    P->>Q: Rollback to snapshot
    P-->>U: Show failure toast
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• minor fixes #1500 — Also modifies apps/server/src/lib/schemas.ts userSettingsSchema defaults; overlaps on the same schema surface.
• Feature/persist user settings #403 — Extends and persists user settings across server and Mail app; similar wiring of fetch/save behavior.

Suggested labels

high priority

Suggested reviewers

• MrgSub

Poem

Flip the switch, secure the ship,
Bits align with rocket zip,
Two factors armed, alerts in flight,
Cache optimists chase the light,
Rollback thrusters if it fails—
Then toast success, set cosmic sails. 🚀

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[cubic-dev-ai]

1 issue found across 2 files

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[coderabbitai]

Actionable comments posted: 12

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d918210 and 5dc6dec.

📒 Files selected for processing (2)

• apps/mail/app/(routes)/settings/security/page.tsx (7 hunks)
• apps/server/src/lib/schemas.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{css,js,ts,jsx,tsx,mdx}

📄 CodeRabbit inference engine (.cursor/rules/tailwind-css-v4.mdc)

**/*.{css,js,ts,jsx,tsx,mdx}: Chain variants together for composable variants (e.g., group-has-data-potato:opacity-100).
Use new variants such as starting, not-*, inert, nth-*, in-*, open (for :popover-open), and ** for all descendants.
Do not use deprecated utilities like bg-opacity-*, text-opacity-*, border-opacity-*, and divide-opacity-*; use the new syntax (e.g., bg-black/50).
Use renamed utilities: shadow-sm is now shadow-xs, shadow is now shadow-sm, drop-shadow-sm is now drop-shadow-xs, drop-shadow is now drop-shadow-sm, blur-sm is now blur-xs, blur is now blur-sm, rounded-sm is now rounded-xs, rounded is now rounded-sm, outline-none is now outline-hidden.
Use bg-(--brand-color) syntax for CSS variables in arbitrary values instead of bg-[--brand-color].
Stacked variants now apply left-to-right instead of right-to-left.

Files:

• apps/mail/app/(routes)/settings/security/page.tsx
• apps/server/src/lib/schemas.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (AGENT.md)

**/*.{js,jsx,ts,tsx}: Use 2-space indentation
Use single quotes
Limit lines to 100 characters
Semicolons are required

Files:

• apps/mail/app/(routes)/settings/security/page.tsx
• apps/server/src/lib/schemas.ts

**/*.{js,jsx,ts,tsx,css}

📄 CodeRabbit inference engine (AGENT.md)

Use Prettier with sort-imports and Tailwind plugins

Files:

• apps/mail/app/(routes)/settings/security/page.tsx
• apps/server/src/lib/schemas.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENT.md)

Enable TypeScript strict mode

Files:

• apps/mail/app/(routes)/settings/security/page.tsx
• apps/server/src/lib/schemas.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

[ahmetskilinc]

hey @suraj719 could you please check the coderabbit comments, some are important for state and can you please resolve merge conflicts?

[ahmetskilinc]

please close/resolve comments from coderabbit once you have resolved them

[suraj719]

please close/resolve comments from coderabbit once you have resolved them

yeah sure, i am working on those suggestions.

[suraj719]

hey @suraj719 could you please check the coderabbit comments, some are important for state and can you please resolve merge conflicts?

please review and let me know if u want me to do any changes 🚀

[ahmetskilinc]

make sure you run pnpm run db:generate

[suraj719]

make sure you run pnpm run db:generate

Thanks for catching that, and sorry I missed it earlier :)

[suraj719]

heyy @ahmetskilinc , Could you please take a look when you get a chance? Thanks!