[AC-1192] Create endpoints for new Device Approvals page (#2993)

* [AC-1192] Create new OrganizationAuthRequestsController.cs * [AC-1192] Introduce OrganizationAdminAuthRequest model * [AC-1192] Add GetManyPendingByOrganizationId method to AuthRequest repository * [AC-1192] Add new list pending organization auth requests endpoint * [AC-1192] Add new GetManyAdminApprovalsByManyIdsAsync method to the AuthRequestRepository * [AC-1192] Make the response device identifier optional for admin approval requests * [AC-1192] Add endpoint for bulk denying admin device auth requests * [AC-1192] Add OrganizationUserId to PendingOrganizationAuthRequestResponseModel * [AC-1192] Add UpdateAuthRequest endpoint and logic to OrganizationAuthRequestsController * [AC-1192] Secure new endpoints behind TDE feature flag * [AC-1192] Formatting * [AC-1192] Add sql migration script * [AC-1192] Add optional OrganizationId column to AuthRequest entity - Rename migration script to match existing formatting - Add new column - Add migration scripts - Update new sprocs to filter/join on OrganizationId - Update old sprocs to include OrganizationId * [AC-1192] Format migration scripts * [AC-1192] Fix failing AuthRequest EF unit test * [AC-1192] Make OrganizationId optional in updated AuthRequest sprocs for backwards compatability * [AC-1192] Fix missing comma in migration file * [AC-1192] Rename Key to EncryptedUserKey to be more descriptive * [AC-1192] Move request validation into helper method to reduce repetition * [AC-1192] Return UnauthorizedAccessException instead of NotFound when user is missing permission * [AC-1192] Introduce FeatureUnavailableException * [AC-1192] Introduce RequireFeatureAttribute * [AC-1192] Utilize the new RequireFeatureAttribute in the OrganizationAuthRequestsController * [AC-1192] Attempt to fix out of sync database migration by moving new OrganizationId column * [AC-1192] More attempts to sync database migrations * [AC-1192] Formatting * [AC-1192] Remove unused reference to FeatureService * [AC-1192] Change Id types from String to Guid * [AC-1192] Add EncryptedString attribute * [AC-1192] Remove redundant OrganizationId property * [AC-1192] Switch to projection for OrganizationAdminAuthRequest mapping - Add new OrganizationUser relationship to EF entity - Replace AuthRequest DBContext config with new IEntityTypeConfiguration - Add navigation property to AuthRequest entity configuration for OrganizationUser - Update EF AuthRequestRepository to use new mapping and navigation properties * [AC-1192] Remove OrganizationUser navigation property
2025-06-30 23:52:50 -05:00 · 2023-06-15 14:54:08 -07:00
parent bdd5e0916e
commit 904b2fe205
34 changed files with 7417 additions and 11 deletions
--- a/src/Api/Auth/Models/Request/AdminAuthRequestUpdateRequestModel.cs
+++ b/src/Api/Auth/Models/Request/AdminAuthRequestUpdateRequestModel.cs
@ -0,0 +1,13 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Auth.Models.Request;
+
+public class AdminAuthRequestUpdateRequestModel
+{
+    [EncryptedString]
+    public string EncryptedUserKey { get; set; }
+
+    [Required]
+    public bool RequestApproved { get; set; }
+}
--- a/src/Api/Auth/Models/Request/BulkDenyAdminAuthRequestRequestModel.cs
+++ b/src/Api/Auth/Models/Request/BulkDenyAdminAuthRequestRequestModel.cs
@ -0,0 +1,6 @@
+namespace Bit.Api.Auth.Models.Request;
+
+public class BulkDenyAdminAuthRequestRequestModel
+{
+    public IEnumerable<Guid> Ids { get; set; }
+}
--- a/src/Api/Auth/Models/Response/PendingOrganizationAuthRequestResponseModel.cs
+++ b/src/Api/Auth/Models/Response/PendingOrganizationAuthRequestResponseModel.cs
@ -0,0 +1,38 @@
+using System.ComponentModel.DataAnnotations;
+using System.Reflection;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Auth.Models.Response;
+
+public class PendingOrganizationAuthRequestResponseModel : ResponseModel
+{
+    public PendingOrganizationAuthRequestResponseModel(OrganizationAdminAuthRequest authRequest, string obj = "pending-org-auth-request") : base(obj)
+    {
+        if (authRequest == null)
+        {
+            throw new ArgumentNullException(nameof(authRequest));
+        }
+
+        Id = authRequest.Id;
+        UserId = authRequest.UserId;
+        OrganizationUserId = authRequest.OrganizationUserId;
+        Email = authRequest.Email;
+        PublicKey = authRequest.PublicKey;
+        RequestDeviceIdentifier = authRequest.RequestDeviceIdentifier;
+        RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
+            .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
+        RequestIpAddress = authRequest.RequestIpAddress;
+        CreationDate = authRequest.CreationDate;
+    }
+
+    public Guid Id { get; set; }
+    public Guid UserId { get; set; }
+    public Guid OrganizationUserId { get; set; }
+    public string Email { get; set; }
+    public string PublicKey { get; set; }
+    public string RequestDeviceIdentifier { get; set; }
+    public string RequestDeviceType { get; set; }
+    public string RequestIpAddress { get; set; }
+    public DateTime CreationDate { get; set; }
+}
--- a/src/Api/Controllers/OrganizationAuthRequestsController.cs
+++ b/src/Api/Controllers/OrganizationAuthRequestsController.cs
@ -0,0 +1,83 @@
+using Bit.Api.Auth.Models.Request;
+using Bit.Api.Auth.Models.Response;
+using Bit.Api.Models.Response;
+using Bit.Core;
+using Bit.Core.Auth.Models.Api.Request.AuthRequest;
+using Bit.Core.Auth.Services;
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers;
+
+[Route("organizations/{orgId}/auth-requests")]
+[Authorize("Application")]
+[RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)]
+public class OrganizationAuthRequestsController : Controller
+{
+    private readonly IAuthRequestRepository _authRequestRepository;
+    private readonly ICurrentContext _currentContext;
+    private readonly IAuthRequestService _authRequestService;
+
+    public OrganizationAuthRequestsController(IAuthRequestRepository authRequestRepository,
+        ICurrentContext currentContext, IAuthRequestService authRequestService)
+    {
+        _authRequestRepository = authRequestRepository;
+        _currentContext = currentContext;
+        _authRequestService = authRequestService;
+    }
+
+    [HttpGet("")]
+    public async Task<ListResponseModel<PendingOrganizationAuthRequestResponseModel>> GetPendingRequests(Guid orgId)
+    {
+        await ValidateAdminRequest(orgId);
+
+        var authRequests = await _authRequestRepository.GetManyPendingByOrganizationIdAsync(orgId);
+        var responses = authRequests
+            .Select(a => new PendingOrganizationAuthRequestResponseModel(a))
+            .ToList();
+        return new ListResponseModel<PendingOrganizationAuthRequestResponseModel>(responses);
+    }
+
+    [HttpPost("{requestId}")]
+    public async Task UpdateAuthRequest(Guid orgId, Guid requestId, [FromBody] AdminAuthRequestUpdateRequestModel model)
+    {
+        await ValidateAdminRequest(orgId);
+
+        var authRequest =
+            (await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, new[] { requestId })).FirstOrDefault();
+
+        if (authRequest == null || authRequest.OrganizationId != orgId)
+        {
+            throw new NotFoundException();
+        }
+
+        await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
+            new AuthRequestUpdateRequestModel { RequestApproved = model.RequestApproved, Key = model.EncryptedUserKey });
+    }
+
+    [HttpPost("deny")]
+    public async Task BulkDenyRequests(Guid orgId, [FromBody] BulkDenyAdminAuthRequestRequestModel model)
+    {
+        await ValidateAdminRequest(orgId);
+
+        var authRequests = await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, model.Ids);
+
+        foreach (var authRequest in authRequests)
+        {
+            await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
+                new AuthRequestUpdateRequestModel { RequestApproved = false, });
+        }
+    }
+
+    private async Task ValidateAdminRequest(Guid orgId)
+    {
+        if (!await _currentContext.ManageResetPassword(orgId))
+        {
+            throw new UnauthorizedAccessException();
+        }
+    }
+}
--- a/src/Core/Auth/Entities/AuthRequest.cs
+++ b/src/Core/Auth/Entities/AuthRequest.cs
@ -9,6 +9,7 @@ public class AuthRequest : ITableObject<Guid>
 {
    public Guid Id { get; set; }
    public Guid UserId { get; set; }
+    public Guid? OrganizationId { get; set; }
    public Enums.AuthRequestType Type { get; set; }
    [MaxLength(50)]
    public string RequestDeviceIdentifier { get; set; }
--- a/src/Core/Auth/Enums/AuthRequestType.cs
+++ b/src/Core/Auth/Enums/AuthRequestType.cs
@ -3,5 +3,6 @@
 public enum AuthRequestType : byte
 {
    AuthenticateAndUnlock = 0,
-    Unlock = 1
+    Unlock = 1,
+    AdminApproval = 2,
 }
--- a/src/Core/Auth/Models/Data/OrganizationAdminAuthRequest.cs
+++ b/src/Core/Auth/Models/Data/OrganizationAdminAuthRequest.cs
@ -0,0 +1,18 @@
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
+
+namespace Bit.Core.Auth.Models.Data;
+
+/// <summary>
+/// Represents an <see cref="AuthRequestType.AdminApproval"/> AuthRequest.
+/// Includes additional user and organization information.
+/// </summary>
+public class OrganizationAdminAuthRequest : AuthRequest
+{
+    /// <summary>
+    /// Email address of the requesting user
+    /// </summary>
+    public string Email { get; set; }
+
+    public Guid OrganizationUserId { get; set; }
+}
--- a/src/Core/Auth/Repositories/IAuthRequestRepository.cs
+++ b/src/Core/Auth/Repositories/IAuthRequestRepository.cs
@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;

 namespace Bit.Core.Repositories;

@ -6,4 +7,6 @@ public interface IAuthRequestRepository : IRepository<AuthRequest, Guid>
 {
    Task<int> DeleteExpiredAsync();
    Task<ICollection<AuthRequest>> GetManyByUserIdAsync(Guid userId);
+    Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId);
+    Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids);
 }
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Exceptions;
 using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Context;
@ -119,13 +120,17 @@ public class AuthRequestService : IAuthRequestService
            throw new DuplicateAuthRequestException();
        }

-        var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
-        if (device == null)
+        // Admin approval responses are not tied to a specific device, so we don't need to validate it.
+        if (authRequest.Type != AuthRequestType.AdminApproval)
        {
-            throw new BadRequestException("Invalid device.");
+            var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
+            if (device == null)
+            {
+                throw new BadRequestException("Invalid device.");
+            }
+            authRequest.ResponseDeviceId = device.Id;
        }

-        authRequest.ResponseDeviceId = device.Id;
        authRequest.ResponseDate = DateTime.UtcNow;
        authRequest.Approved = model.RequestApproved;

--- a/src/Core/Exceptions/FeatureUnavailableException.cs
+++ b/src/Core/Exceptions/FeatureUnavailableException.cs
@ -0,0 +1,14 @@
+namespace Bit.Core.Exceptions;
+
+/// <summary>
+/// Exception to throw when a requested feature is not yet enabled/available for the requesting context.
+/// </summary>
+public class FeatureUnavailableException : NotFoundException
+{
+    public FeatureUnavailableException()
+    { }
+
+    public FeatureUnavailableException(string message)
+        : base(message)
+    { }
+}
--- a/src/Core/Utilities/RequireFeatureAttribute.cs
+++ b/src/Core/Utilities/RequireFeatureAttribute.cs
@ -0,0 +1,36 @@
+using Bit.Core.Context;
+using Bit.Core.Exceptions;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Core.Utilities;
+
+/// <summary>
+/// Specifies that the class or method that this attribute is applied to requires the specified boolean feature flag
+/// to be enabled. If the feature flag is not enabled, a <see cref="FeatureUnavailableException"/> is thrown
+/// </summary>
+public class RequireFeatureAttribute : ActionFilterAttribute
+{
+    private readonly string _featureFlagKey;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="RequireFeatureAttribute"/> class with the specified feature flag key.
+    /// </summary>
+    /// <param name="featureFlagKey">The name of the feature flag to require.</param>
+    public RequireFeatureAttribute(string featureFlagKey)
+    {
+        _featureFlagKey = featureFlagKey;
+    }
+
+    public override void OnActionExecuting(ActionExecutingContext context)
+    {
+        var currentContext = context.HttpContext.RequestServices.GetRequiredService<ICurrentContext>();
+        var featureService = context.HttpContext.RequestServices.GetRequiredService<IFeatureService>();
+
+        if (!featureService.IsEnabled(_featureFlagKey, currentContext))
+        {
+            throw new FeatureUnavailableException();
+        }
+    }
+}
--- a/src/Infrastructure.Dapper/Auth/Repositories/AuthRequestRepository.cs
+++ b/src/Infrastructure.Dapper/Auth/Repositories/AuthRequestRepository.cs
@ -1,5 +1,6 @@
 using System.Data;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Infrastructure.Dapper.Repositories;
@ -41,4 +42,30 @@ public class AuthRequestRepository : Repository<AuthRequest, Guid>, IAuthRequest
            return results.ToList();
        }
    }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
+                $"[{Schema}].[AuthRequest_ReadPendingByOrganizationId]",
+                new { OrganizationId = organizationId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
+                $"[{Schema}].[AuthRequest_ReadAdminApprovalsByIds]",
+                new { OrganizationId = organizationId, Ids = ids.ToGuidIdArrayTVP() },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }
--- a/src/Infrastructure.EntityFramework/Auth/Configurations/AuthRequestConfiguration.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Configurations/AuthRequestConfiguration.cs
@ -0,0 +1,14 @@
+using Bit.Infrastructure.EntityFramework.Auth.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Auth.Configurations;
+
+public class AuthRequestConfiguration : IEntityTypeConfiguration<AuthRequest>
+{
+    public void Configure(EntityTypeBuilder<AuthRequest> builder)
+    {
+        builder.Property(ar => ar.Id).ValueGeneratedNever();
+        builder.ToTable(nameof(AuthRequest));
+    }
+}
--- a/src/Infrastructure.EntityFramework/Auth/Models/AuthRequest.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Models/AuthRequest.cs
@ -1,4 +1,5 @@
 using AutoMapper;
+using Bit.Core.Auth.Models.Data;
 using Bit.Infrastructure.EntityFramework.Models;

 namespace Bit.Infrastructure.EntityFramework.Auth.Models;
@ -7,6 +8,7 @@ public class AuthRequest : Core.Auth.Entities.AuthRequest
 {
    public virtual User User { get; set; }
    public virtual Device ResponseDevice { get; set; }
+    public virtual Organization Organization { get; set; }
 }

 public class AuthRequestMapperProfile : Profile
@ -14,5 +16,9 @@ public class AuthRequestMapperProfile : Profile
    public AuthRequestMapperProfile()
    {
        CreateMap<Core.Auth.Entities.AuthRequest, AuthRequest>().ReverseMap();
+        CreateProjection<AuthRequest, OrganizationAdminAuthRequest>()
+            .ForMember(m => m.Email, opt => opt.MapFrom(t => t.User.Email))
+            .ForMember(m => m.OrganizationUserId, opt => opt.MapFrom(
+                t => t.User.OrganizationUsers.FirstOrDefault(ou => ou.OrganizationId == t.OrganizationId && ou.UserId == t.UserId).Id));
    }
 }
--- a/src/Infrastructure.EntityFramework/Auth/Repositories/AuthRequestRepository.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Repositories/AuthRequestRepository.cs
@ -1,4 +1,7 @@
 using AutoMapper;
+using AutoMapper.QueryableExtensions;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Bit.Infrastructure.EntityFramework.Repositories;
@ -33,4 +36,32 @@ public class AuthRequestRepository : Repository<Core.Auth.Entities.AuthRequest,
            return Mapper.Map<List<Core.Auth.Entities.AuthRequest>>(userAuthRequests);
        }
    }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
+                                             where ar.OrganizationId.Equals(organizationId) && ar.ResponseDate == null && ar.Type == AuthRequestType.AdminApproval
+                                             select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
+
+            return orgUserAuthRequests;
+        }
+    }
+
+    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(
+        Guid organizationId,
+        IEnumerable<Guid> ids)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
+                                             where ar.OrganizationId.Equals(organizationId) && ids.Contains(ar.Id) && ar.Type == AuthRequestType.AdminApproval
+                                             select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
+
+            return orgUserAuthRequests;
+        }
+    }
 }
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
@ -97,7 +97,6 @@ public class DatabaseContext : DbContext
        var eUser = builder.Entity<User>();
        var eOrganizationApiKey = builder.Entity<OrganizationApiKey>();
        var eOrganizationConnection = builder.Entity<OrganizationConnection>();
-        var eAuthRequest = builder.Entity<AuthRequest>();
        var eOrganizationDomain = builder.Entity<OrganizationDomain>();

        eCipher.Property(c => c.Id).ValueGeneratedNever();
@ -119,7 +118,6 @@ public class DatabaseContext : DbContext
        eUser.Property(c => c.Id).ValueGeneratedNever();
        eOrganizationApiKey.Property(c => c.Id).ValueGeneratedNever();
        eOrganizationConnection.Property(c => c.Id).ValueGeneratedNever();
-        eAuthRequest.Property(ar => ar.Id).ValueGeneratedNever();
        eOrganizationDomain.Property(ar => ar.Id).ValueGeneratedNever();

        eCollectionCipher.HasKey(cc => new { cc.CollectionId, cc.CipherId });
@ -171,7 +169,6 @@ public class DatabaseContext : DbContext
        eUser.ToTable(nameof(User));
        eOrganizationApiKey.ToTable(nameof(OrganizationApiKey));
        eOrganizationConnection.ToTable(nameof(OrganizationConnection));
-        eAuthRequest.ToTable(nameof(AuthRequest));
        eOrganizationDomain.ToTable(nameof(OrganizationDomain));

        ConfigureDateTimeUtcQueries(builder);
--- a/Procedures/AuthRequest_Create.sql
+++ b/Procedures/AuthRequest_Create.sql
@ -1,6 +1,7 @@
 CREATE PROCEDURE [dbo].[AuthRequest_Create]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
    @Type TINYINT,
    @RequestDeviceIdentifier NVARCHAR(50),
    @RequestDeviceType TINYINT,
@ -22,6 +23,7 @@ BEGIN
    (
        [Id],
        [UserId],
+        [OrganizationId],
        [Type],
        [RequestDeviceIdentifier],
        [RequestDeviceType],
@ -40,6 +42,7 @@ BEGIN
    (
        @Id,
        @UserId,
+        @OrganizationId,
        @Type,
        @RequestDeviceIdentifier,
        @RequestDeviceType,
@ -54,4 +57,4 @@ BEGIN
        @ResponseDate,
        @AuthenticationDate
    )
-END
+END
--- a/Procedures/AuthRequest_ReadAdminApprovalsByIds.sql
+++ b/Procedures/AuthRequest_ReadAdminApprovalsByIds.sql
@ -0,0 +1,20 @@
+CREATE PROCEDURE [dbo].[AuthRequest_ReadAdminApprovalsByIds]
+	@OrganizationId UNIQUEIDENTIFIER,
+	@Ids AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    ar.*, ou.[Email], ou.[Id] AS [OrganizationUserId]
+FROM
+    [dbo].[AuthRequestView] ar
+    INNER JOIN
+        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
+    WHERE
+        ar.[OrganizationId] = @OrganizationId
+    AND
+        ar.[Type] = 2 -- AdminApproval
+    AND
+        ar.[Id] IN (SELECT [Id] FROM @Ids)
+END
--- a/Procedures/AuthRequest_ReadPendingByOrganizationId.sql
+++ b/Procedures/AuthRequest_ReadPendingByOrganizationId.sql
@ -0,0 +1,19 @@
+CREATE PROCEDURE [dbo].[AuthRequest_ReadPendingByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    ar.*, ou.[Email], ou.[OrganizationId], ou.[Id] AS [OrganizationUserId]
+FROM
+    [dbo].[AuthRequestView] ar
+    INNER JOIN
+        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
+    WHERE
+        ar.[OrganizationId] = @OrganizationId 
+    AND 
+        ar.[ResponseDate] IS NULL
+    AND
+        ar.[Type] = 2 -- AdminApproval
+END
--- a/Procedures/AuthRequest_Update.sql
+++ b/Procedures/AuthRequest_Update.sql
@ -1,6 +1,7 @@
 CREATE PROCEDURE [dbo].[AuthRequest_Update]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @UserId UNIQUEIDENTIFIER,
+    @OrganizationId UNIQUEIDENTIFIER = NULL,
    @Type SMALLINT, 
    @RequestDeviceIdentifier NVARCHAR(50),
    @RequestDeviceType SMALLINT,
@ -23,6 +24,7 @@ BEGIN
    SET
        [UserId] = @UserId,
        [Type] = @Type,
+        [OrganizationId] = @OrganizationId,
        [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
        [RequestDeviceType] = @RequestDeviceType,
        [RequestIpAddress] = @RequestIpAddress,
--- a/src/Sql/Auth/dbo/Tables/AuthRequest.sql
+++ b/src/Sql/Auth/dbo/Tables/AuthRequest.sql
@ -14,9 +14,11 @@
    [CreationDate]              DATETIME2 (7)    NOT NULL,
    [ResponseDate]              DATETIME2 (7)    NULL,
    [AuthenticationDate]        DATETIME2 (7)    NULL,
+    [OrganizationId]            UNIQUEIDENTIFIER NULL,
    CONSTRAINT [PK_AuthRequest] PRIMARY KEY CLUSTERED ([Id] ASC),
    CONSTRAINT [FK_AuthRequest_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id]),
-    CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id])
+    CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id]),
+    CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
 );