[PM-15614] Allow Users to opt out of new device verification (#5176)

feat(NewDeviceVerification) : * Created database migration scripts for VerifyDevices column in [dbo].[User]. * Updated DeviceValidator to check if user has opted out of device verification. * Added endpoint to AccountsController.cs to allow editing of new User.VerifyDevices property. * Added tests for new methods and endpoint. * Updating queries to track [dbo].[User].[VerifyDevices]. * Updated DeviceValidator to set `User.EmailVerified` property during the New Device Verification flow.
2025-07-01 16:12:49 -05:00 · 2025-01-08 07:31:24 -08:00
parent 481a766cd2
commit a84ef0724c
21 changed files with 9459 additions and 9 deletions
--- a/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/DeviceValidator.cs
@ -115,7 +115,7 @@ public class DeviceValidator(
    /// </summary>
    /// <param name="user">user attempting to authenticate</param>
    /// <param name="ValidatedRequest">The Request is used to check for the NewDeviceOtp and for the raw device data</param>
-    /// <returns>returns deviceValtaionResultType</returns>
+    /// <returns>returns deviceValidationResultType</returns>
    private async Task<DeviceValidationResultType> HandleNewDeviceVerificationAsync(User user, ValidatedRequest request)
    {
        // currently unreachable due to backward compatibility
@ -125,6 +125,12 @@ public class DeviceValidator(
            return DeviceValidationResultType.InvalidUser;
        }

+        // Has the User opted out of new device verification
+        if (!user.VerifyDevices)
+        {
+            return DeviceValidationResultType.Success;
+        }
+
        // CS exception flow
        // Check cache for user information
        var cacheKey = string.Format(AuthConstants.NewDeviceVerificationExceptionCacheKeyFormat, user.Id.ToString());
@ -146,6 +152,12 @@ public class DeviceValidator(
            var otpValid = await _userService.VerifyOTPAsync(user, newDeviceOtp);
            if (otpValid)
            {
+                // In order to get here they would have to have access to their email so we verify it if it's not already
+                if (!user.EmailVerified)
+                {
+                    user.EmailVerified = true;
+                    await _userService.SaveUserAsync(user);
+                }
                return DeviceValidationResultType.Success;
            }
            return DeviceValidationResultType.InvalidNewDeviceOtp;