From 1403609b8f8b97491d7b61269b4fee537b783cd2 Mon Sep 17 00:00:00 2001
From: Barry Walker <barrywalker@gmail.com>
Date: Sun, 18 Jan 2026 13:13:49 -0500
Subject: [PATCH] Add option to disable new device login notification emails

Adds SEND_NEW_DEVICE_EMAIL config option (defaults to true) allowing
administrators to disable "New Device Logged In" notification emails.

This addresses a gap where the only way to stop these emails was to
disable SMTP entirely, which also disables other important emails.

Use cases include:
- Bitwarden CLI in container sidecars (restarts trigger new device emails)
- Kubernetes external secrets providers
- CI/CD pipelines with frequent automated authentication
---
 .env.template       | 4 ++++
 src/api/identity.rs | 4 ++--
 src/config.rs       | 4 ++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.env.template b/.env.template
index 67f531fc..77988503 100644
--- a/.env.template
+++ b/.env.template
@@ -387,6 +387,10 @@
 ## If sending the email fails the login attempt will fail!!
 # REQUIRE_DEVICE_EMAIL=false
 
+## Send new device logged in notification. When enabled, an email will be sent to users
+## when a new device logs in. Set to false to disable these notification emails.
+# SEND_NEW_DEVICE_EMAIL=true
+
 ## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true
 
diff --git a/src/api/identity.rs b/src/api/identity.rs
index 9eaa6b36..2ec0b56f 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -437,7 +437,7 @@ async fn authenticated_response(
     conn: &DbConn,
     ip: &ClientIp,
 ) -> JsonResult {
-    if CONFIG.mail_enabled() && device.is_new() {
+    if CONFIG.mail_enabled() && CONFIG.send_new_device_email() && device.is_new() {
         let now = Utc::now().naive_utc();
         if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, device).await {
             error!("Error sending new device email: {e:#?}");
@@ -581,7 +581,7 @@ async fn _user_api_key_login(
 
     let mut device = get_device(&data, conn, &user).await?;
 
-    if CONFIG.mail_enabled() && device.is_new() {
+    if CONFIG.mail_enabled() && CONFIG.send_new_device_email() && device.is_new() {
         let now = Utc::now().naive_utc();
         if let Err(e) = mail::send_new_device_logged_in(&user.email, &ip.ip.to_string(), &now, &device).await {
             error!("Error sending new device email: {e:#?}");
diff --git a/src/config.rs b/src/config.rs
index 4fb103fa..dfc669e3 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -717,6 +717,10 @@ make_config! {
         /// If sending the email fails the login attempt will fail.
         require_device_email:   bool,   true,   def,     false;
 
+        /// Send new device logged in notification |> When enabled, an email will be sent to users when a new device logs in.
+        /// Set to false to disable these notification emails.
+        send_new_device_email:  bool,   true,   def,     true;
+
         /// Reload templates (Dev) |> When this is set to true, the templates get reloaded with every request.
         /// ONLY use this during development, as it can slow down the server
         reload_templates:       bool,   true,   def,    false;