[SG-701] Updated controller to not send notification if request was d…

…enied (#2375) * Updated controller to not send response if request was denied. * Linting
bitwarden · Nov 1, 2022 · 14074e1 · 14074e1
1 parent 52b50ef
commit 14074e1
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/Api/Controllers/AuthRequestsController.cs b/src/Api/Controllers/AuthRequestsController.cs
@@ -142,7 +142,13 @@ public async Task<AuthRequestResponseModel> Put(string id, [FromBody] AuthReques
         authRequest.ResponseDate = DateTime.UtcNow;
         authRequest.Approved = model.RequestApproved;
         await _authRequestRepository.ReplaceAsync(authRequest);
-        await _pushNotificationService.PushAuthRequestResponseAsync(authRequest);
+
+        // We only want to send an approval notification if the request is approved (or null), 
+        // to not leak that it was denied to the originating client if it was originated by a malicious actor.
+        if (authRequest.Approved ?? true)
+        {
+            await _pushNotificationService.PushAuthRequestResponseAsync(authRequest);
+        }
 
         return new AuthRequestResponseModel(authRequest, _globalSettings.BaseServiceUri.Vault);
     }