From 16ad5db418396197e421f633e489a59f158f0888 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Bispo?= <abispo@bitwarden.com>
Date: Tue, 13 Dec 2022 21:50:53 +0000
Subject: [PATCH] [SG-859] Key and MasterPasswordHash stored on AuthRequest
 when you deny login request (#2469)

* [SG-856] Remove nullable from RequestApproved property

* [SG-856] Assign key and hash only if approved
---
 src/Api/Controllers/AuthRequestsController.cs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/Api/Controllers/AuthRequestsController.cs b/src/Api/Controllers/AuthRequestsController.cs
index 3b3e17f868..3468b1ad72 100644
--- a/src/Api/Controllers/AuthRequestsController.cs
+++ b/src/Api/Controllers/AuthRequestsController.cs
@@ -137,11 +137,16 @@ public class AuthRequestsController : Controller
             throw new BadRequestException("Invalid device.");
         }
 
-        authRequest.Key = model.Key;
-        authRequest.MasterPasswordHash = model.MasterPasswordHash;
         authRequest.ResponseDeviceId = device.Id;
         authRequest.ResponseDate = DateTime.UtcNow;
         authRequest.Approved = model.RequestApproved;
+
+        if (model.RequestApproved)
+        {
+            authRequest.Key = model.Key;
+            authRequest.MasterPasswordHash = model.MasterPasswordHash;
+        }
+
         await _authRequestRepository.ReplaceAsync(authRequest);
 
         // We only want to send an approval notification if the request is approved (or null),