Consolidate Token Expiry Notification Emails #23582
Description
📌 Current Behavior
Matomo periodically sends security alert emails to users whose API tokens have not been rotated within a defined threshold (default: 180 days).
This is part of enforcing token hygiene for security best practices (token rotation policy).
📉 However, if a user owns multiple stale tokens, they currently receive one email per token.
This leads to:
- 🚨 Email spam for users with many outdated tokens
- 📥 Increased risk of users ignoring or deleting the alerts
- ❌ Poor UX and waste of email infrastructure resources
🎯 Desired Behavior
Send a single consolidated email per affected user listing all of their stale API tokens that require attention.
✅ Proposed Solution
Refactor the existing notification logic to:
- Group stale tokens by user
- Generate one email per user, including a list of all stale tokens (with their descriptions, creation/last-used dates, etc.)
🧪 Scope
- ✅ Affects only the token expiry warning logic (does not change token validity or auth flows)
- ✅ Applies to core token check cron/system job
- ✅ Email template should be updated to support multi-token messaging
- ✅ Adjust test coverage for grouped emails
refs #23553