Skip to content

[6.1] remove authentication code subject #46632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tecpromotion wants to merge 2 commits into from
Closed

[6.1] remove authentication code subject #46632

tecpromotion wants to merge 2 commits into from
+12 −6

Conversation

@tecpromotion
Copy link
Contributor

@tecpromotion tecpromotion commented Jan 5, 2026

Summary of Changes

This PR removes the authentication code {CODE} from the email subject line.

What problem am I trying to solve?
The email subject line is significantly less protected than the content:
It's often displayed in plain text, for example, on smartphone lock screens, in email notifications, or previews.
This makes it much easier for others to see the subject line without opening the email (shared inbox, office, support).
Forwarding and auto-replies also pose a problem; some systems only use the subject line and reply with it again, unintentionally including the code in other emails.

Testing Instructions

Activate the MFA plugin "Multi-factor Authentication - Authentication Code by Email" and configure it for a user.
Use this login method for the user. An email will arrive in the inbox.

Actual result BEFORE applying this Pull Request

Subject e.g.: "Your 610-alpha2 authentication code is -123456-"

Expected result AFTER applying this Pull Request

Subject e.g.: "Your 610-alpha2 authentication code"
And the code is now only contained in the email body.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

Copilot AI review requested due to automatic review settings January 5, 2026 19:54
@joomla-cms-bot joomla-cms-bot added Language Change This is for Translators PR-6.1-dev labels Jan 5, 2026
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by removing the authentication code from the email subject line of multi-factor authentication emails, addressing concerns about sensitive information exposure through email previews, lock screen notifications, and shared inboxes.

  • Removes the {CODE} placeholder from the email subject translation string
  • Keeps the authentication code in the email body where it remains protected

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Fedik
Copy link
Member

Fedik commented Jan 7, 2026

Having the code in the subject allows to read the code without opening email. That actually is very useful on mobile.

I would suggest:

  • OR change authentication to auth to make it shorter :)
  • OR even better. Move the code up front: 123456 is your FoobarSiteName authentication code

@tecpromotion tecpromotion deleted the fix/remove-authentication-code-subject branch January 7, 2026 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

Language Change This is for Translators PR-6.1-dev Unit/System Tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tecpromotion @Fedik @joomla-cms-bot