From 9703fb68749eda41be0fa728752bfec29b6205a2 Mon Sep 17 00:00:00 2001
From: Gbubemi Smith <gsmith@bitwarden.com>
Date: Fri, 28 Oct 2022 11:58:05 -0400
Subject: [PATCH] [SG-762] Prevent approving request on second device after
 denying on first (#2370)

* Added check to ensure a passwordless request is not acted upon multiple times

* Corrected grammer
---
 src/Api/Controllers/AuthRequestsController.cs        |  5 +++++
 src/Core/Exceptions/DuplicateAuthRequestException.cs | 10 ++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 src/Core/Exceptions/DuplicateAuthRequestException.cs

diff --git a/src/Api/Controllers/AuthRequestsController.cs b/src/Api/Controllers/AuthRequestsController.cs
index 6d2bfcb4f2..f8a4cf7ec1 100644
--- a/src/Api/Controllers/AuthRequestsController.cs
+++ b/src/Api/Controllers/AuthRequestsController.cs
@@ -125,6 +125,11 @@ public class AuthRequestsController : Controller
             throw new NotFoundException();
         }
 
+        if (authRequest.Approved is not null)
+        {
+            throw new DuplicateAuthRequestException();
+        }
+
         var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier);
         if (device == null)
         {
diff --git a/src/Core/Exceptions/DuplicateAuthRequestException.cs b/src/Core/Exceptions/DuplicateAuthRequestException.cs
new file mode 100644
index 0000000000..962dd705e4
--- /dev/null
+++ b/src/Core/Exceptions/DuplicateAuthRequestException.cs
@@ -0,0 +1,10 @@
+namespace Bit.Core.Exceptions;
+
+public class DuplicateAuthRequestException : Exception
+{
+    public DuplicateAuthRequestException()
+        : base("An authentication request with the same device already exists.")
+    {
+
+    }
+}