Fix: update queries to only return the most recent authrequest, or none at all if the most recent is approved.

src/Infrastructure.EntityFramework/Auth/Repositories/AuthRequestRepository.cs

@@ -68,10 +68,22 @@ public class AuthRequestRepository : Repository<Core.Auth.Entities.AuthRequest,
         var expirationMinutes = (int)_globalSettings.PasswordlessAuth.UserRequestExpiration.TotalMinutes;
         using var scope = ServiceScopeFactory.CreateScope();
         var dbContext = GetDatabaseContext(scope);
-        var pendingAuthRequestQuery = new AuthRequestReadPendingByUserIdQuery()
+        var mostRecentAuthRequests = await
-            .GetQuery(dbContext, userId, expirationMinutes);
+            (from authRequest in dbContext.AuthRequests
+             where authRequest.Type == AuthRequestType.AuthenticateAndUnlock
+                || authRequest.Type == AuthRequestType.Unlock
+             where authRequest.UserId == userId
+             where authRequest.CreationDate.AddMinutes(expirationMinutes) > DateTime.UtcNow
+             group authRequest by authRequest.RequestDeviceIdentifier into groupedAuthRequests
+             select
+                 (from r in groupedAuthRequests
+                  orderby r.CreationDate descending
+                  select r).First()).ToListAsync();
 
-        return await pendingAuthRequestQuery.ToListAsync();
+        // Pending AuthRequests are those where Approved is null.
+        mostRecentAuthRequests.RemoveAll(a => a.Approved != null);
+
+        return mostRecentAuthRequests;
     }
 
     public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(

src/Infrastructure.EntityFramework/Auth/Repositories/Queries/AuthRequestReadPendingByUserIdQuery.cs

@@ -1,28 +0,0 @@
-using Bit.Core.Auth.Enums;
-using Bit.Infrastructure.EntityFramework.Auth.Models;
-using Bit.Infrastructure.EntityFramework.Repositories;
-
-namespace Bit.Infrastructure.EntityFramework.Auth.Repositories.Queries;
-
-public class AuthRequestReadPendingByUserIdQuery
-{
-    public IQueryable<AuthRequest> GetQuery(
-        DatabaseContext dbContext,
-        Guid userId,
-        int expirationMinutes)
-    {
-        var pendingAuthRequestQuery =
-            from authRequest in dbContext.AuthRequests
-            where authRequest.UserId == userId
-            where authRequest.Type == AuthRequestType.AuthenticateAndUnlock || authRequest.Type == AuthRequestType.Unlock
-            where authRequest.Approved == null
-            where authRequest.CreationDate.AddMinutes(expirationMinutes) > DateTime.UtcNow
-            group authRequest by authRequest.RequestDeviceIdentifier into groupedRequests
-            select
-                (from pendingRequests in groupedRequests
-                 orderby pendingRequests.CreationDate descending
-                 select pendingRequests).First();
-
-        return pendingAuthRequestQuery;
-    }
-}

src/Sql/Auth/dbo/Stored Procedures/AuthRequest_ReadPendingByUserId.sql

@@ -13,9 +13,9 @@ BEGIN
         WHERE Type IN (0, 1)
             AND AR.CreationDate >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE())
             AND AR.UserId = @UserId
-            AND AR.Approved IS NULL
     )
     SELECT PR.*
     FROM PendingRequests PR
-    WHERE rn = 1;
+    WHERE rn = 1
+    AND AR.Approved IS NULL;
 END;

util/Migrator/DbScripts/2025-06-04-00_AddReadPendingAuthRequestsByUserId.sql

@@ -11,12 +11,12 @@ BEGIN
             AR.*,
             ROW_NUMBER() OVER (PARTITION BY RequestDeviceIdentifier ORDER BY CreationDate DESC) AS rn
         FROM dbo.AuthRequestView AR
-        WHERE Type IN (0, 1)
+        WHERE Type IN (0, 1) -- 0 = UnlockAndAUth, 1 = unlock
             AND AR.CreationDate >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE())
             AND AR.UserId = @UserId
-            AND AR.Approved IS NULL
     )
     SELECT PR.*
     FROM PendingRequests PR
-    WHERE rn = 1;
+    WHERE rn = 1
+    AND PR.Approved IS NULL;
 END;