[SG-762] Prevent approving request on second device after denying on first (#2370)

* Added check to ensure a passwordless request is not acted upon multiple times

* Corrected grammer

src/Api/Controllers/AuthRequestsController.cs

@@ -125,6 +125,11 @@ public class AuthRequestsController : Controller
             throw new NotFoundException();
         }
 
+        if (authRequest.Approved is not null)
+        {
+            throw new DuplicateAuthRequestException();
+        }
+
         var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier);
         if (device == null)
         {

src/Core/Exceptions/DuplicateAuthRequestException.cs

@@ -0,0 +1,10 @@
+namespace Bit.Core.Exceptions;
+
+public class DuplicateAuthRequestException : Exception
+{
+    public DuplicateAuthRequestException()
+        : base("An authentication request with the same device already exists.")
+    {
+
+    }
+}