Ac/pm 21742/update confirmed to org email templates

[JimmyVo16]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-21742

📔 Objective

This is to add the templates for the organization confirmation email.
There is no code for wiring this up.

Enterprise and Teams
Design

Families and Free
Design

📸 Screenshots

Enterprise and Teams

Mobile

Families and Free

Mobile
Note: I couldn’t get the mobile version to look like the design, mainly due to the button sizing. I’ll communicate this to product.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – c9567b6f-3637-400e-a736-12508cab5127

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/AdminConsole/Public/Controllers/MembersController.cs: 207

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.63%. Comparing base (b1390c9) to head (ab69748).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6683      +/-   ##
==========================================
- Coverage   53.65%   53.63%   -0.02%     
==========================================
  Files        1926     1926              
  Lines       85720    85717       -3     
  Branches     7687     7686       -1     
==========================================
- Hits        45989    45978      -11     
- Misses      37958    37966       +8     
  Partials     1773     1773              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JimmyVo16]

This change ensures we only add the text element when the component receives the respective input for the field. The current behavior adds an empty text element when no input is provided, which can impact spacing and style.

This change should not affect existing components, since the behavior remains the same for components that pass in data for that field.

[JimmyVo16]

Hey folks, I got some feedback from Sukhleen that the font spacing doesn’t align with the design. I think this wasn’t caught earlier because the welcome email doesn’t have multi-line text, but the org confirmation email does.

I also noticed that the style from mj-bw-icon-row-text isn’t being applied to the text. I can’t get the styling to apply through the CSS class; it might be related to how MJML renders it.

The workaround is to inject the styling directly.

I’m open to any suggestions on how to handle this better.

[claude]

Claude finished @JimmyVo16's task —— View job

---

Review Complete ✅

Todo List

• Conduct comprehensive code review of PR changes
• Analyze email template security and correctness
• Review component changes in mj-bw-icon-row.js
• Provide detailed feedback

---

Code Review: Organization Confirmation Email Templates

Overall Assessment: The templates are well-implemented with proper security considerations. The code is ready to merge once the minor issues below are addressed.

---

✅ Security & Compliance

Zero-Knowledge Principles: ✓ Pass

• No vault data or encrypted content is exposed in these templates
• Only organization metadata (name, plan type) is used, which is appropriate for this context

XSS Protection: ✓ Pass

• Handlebars double-brace syntax {{OrganizationName}} properly HTML-escapes output
• No use of triple-brace {{{ or SafeString that would bypass escaping
• All dynamic content is properly escaped

Sensitive Data Handling: ✓ Pass

• No PII, passwords, keys, or vault data in templates
• Only organization name and contextual information displayed

---

📝 Findings by Severity

ℹ️ Minor Issues

1. Identical Text Templates (src/Core/MailTemplates/Handlebars/MJML/AdminConsole/OrganizationConfirmation/organization-confirmation-*.text.hbs)

Both organization-confirmation-enterprise-teams.text.hbs and organization-confirmation-family-free.text.hbs contain identical content:

Thank you for confirming your organization, {{OrganizationName}}!

You've successfully confirmed your organization. Start adding members to your organization to get them started with Bitwarden!

Recommendation: Consider whether these should have different messaging based on organization type (Enterprise/Teams vs Families/Free), similar to how the HTML versions differ. If they're intentionally the same, this is fine.

---

🎨 Suggestions for Improvement

2. Component Refactoring Quality (src/Core/MailTemplates/Mjml/components/mj-bw-icon-row.js)

The refactoring to add conditional rendering is well-done:

${this.getAttribute('text') ? `
  <mj-text ... font-family="'Open Sans', Helvetica, Arial, sans-serif" ...>
    ${this.getAttribute('text')}
  </mj-text>
` : ''}

Observations:

• ✓ Properly prevents empty text elements when no input provided
• ✓ Inline styling workaround for font spacing is reasonable given MJML rendering limitations
• ✓ Maintains backward compatibility for existing components

The author's note about inline styling being a workaround due to CSS class application issues is understandable given MJML's rendering behavior.

3. Missing Unit Tests

Per Bitwarden's development workflow, new features should include unit tests. Consider adding tests for:

• Template rendering with various organization names (including special characters for XSS testing)
• Component rendering with and without text attributes
• Email generation for different organization types

4. Template Wiring

PR description states: "There is no code for wiring this up." These templates will remain unused until integrated. Consider:

• Creating a follow-up ticket/PR for the integration work
• Documenting where these templates should be called from
• Ensuring the template names align with whatever naming convention the email service expects

---

💭 Design Feedback Notes

The author mentioned mobile button sizing doesn't match design and will communicate to product. This is appropriate to handle outside the code review process.

---

✅ What Went Well

1. Proper separation of concerns: MJML source → compiled HTML → Handlebars templates
2. Responsive design: Both desktop and mobile considerations in templates
3. Component reusability: Good use of shared components (mj-bw-icon-row, mj-bw-cta-button)
4. Security-first approach: Proper output escaping throughout
5. Clean file organization: Templates logically organized under AdminConsole/OrganizationConfirmation/

---

🔍 Additional Notes

• File paths in MJML mj-include statements are correct relative to the email template location
• Color schemes and branding appear consistent with Bitwarden design system
• Email accessibility considerations present (alt text, semantic structure)

---

Recommendation

✅ APPROVE - This PR is ready to merge once the team confirms:

1. Whether text templates should differ between org types (or if identical is intentional)
2. That missing tests are acceptable for template-only PRs (or will be added in integration PR)
3. Timeline for wiring up these templates to the email service

[jrmccannon]

Looks good to me.

[JimmyVo16]

Originally, I was thinking of having a PR for each template, but they share some logic, so it’s easier to roll them into one PR. Sorry for the inconvenience, folks.