refactor(DeviceValidator): [Auth/PM-24362] Misc improvements (#6152)

* PM-24362 - DeviceValidator - (1) refactor name of NewDeviceOtpRequest --> RequestHasNewDeviceVerificationOtp (2) Move auth request rejection check above normal NDV check and remove auth request check from NDV check * PM-24362 - Update DeviceValidatorTests + add new scenario
2025-12-15 15:53:59 +00:00 · 2025-08-06 10:18:57 -04:00
parent 25a54b16f7
commit 000d1f2f6e
2 changed files with 68 additions and 22 deletions
--- a/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/DeviceValidatorTests.cs
@@ -9,6 +9,7 @@ using Bit.Core.Settings;
 using Bit.Identity.IdentityServer;
 using Bit.Identity.IdentityServer.RequestValidators;
 using Bit.Test.Common.AutoFixture.Attributes;
+using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Validation;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
@@ -336,7 +337,7 @@ public class DeviceValidatorTests
        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
    {
        // Arrange
-        request.GrantType = "password";
+        request.GrantType = GrantType.ResourceOwnerPassword;
        context.TwoFactorRequired = twoFactoRequired;
        context.SsoRequired = ssoRequired;
        if (context.User != null)
@@ -359,6 +360,48 @@ public class DeviceValidatorTests
        var expectedErrorMessage = "auth request flow unsupported on unknown device";
        var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
        Assert.Equal(expectedErrorMessage, actualResponse.Message);
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+    }
+
+    [Theory]
+    [BitAutoData(false, false)]
+    [BitAutoData(true, false)]
+    [BitAutoData(true, true)]
+    [BitAutoData(true, false)]
+    public async void ValidateRequestDeviceAsync_IsAuthRequest_NewDeviceOtp_Errors(
+        bool twoFactoRequired, bool ssoRequired,
+        CustomValidatorRequestContext context,
+        [AuthFixtures.ValidatedTokenRequest] ValidatedTokenRequest request)
+    {
+        // Arrange
+        request.GrantType = GrantType.ResourceOwnerPassword;
+        context.TwoFactorRequired = twoFactoRequired;
+        context.SsoRequired = ssoRequired;
+        if (context.User != null)
+        {
+            context.User.CreationDate = DateTime.UtcNow - TimeSpan.FromDays(365);
+        }
+
+        AddValidDeviceToRequest(request);
+
+        request.Raw.Add("AuthRequest", "authRequest");
+        // Simulate a new device OTP being present in the request in addition to the auth request
+        // We don't check known device if an new device OTP is present, but we still
+        // want to ensure that the auth request attempt is rejected
+        var newDeviceOtp = "123456";
+        request.Raw.Add("NewDeviceOtp", newDeviceOtp);
+
+        // Act
+        var result = await _sut.ValidateRequestDeviceAsync(request, context);
+
+        // Assert
+        Assert.False(result);
+        Assert.NotNull(context.CustomResponse["ErrorModel"]);
+        var expectedErrorMessage = "auth request flow unsupported on unknown device";
+        var actualResponse = (ErrorResponseModel)context.CustomResponse["ErrorModel"];
+        Assert.Equal(expectedErrorMessage, actualResponse.Message);
+        await _deviceService.Received(0).SaveAsync(Arg.Any<Device>());
+        await _deviceRepository.DidNotReceive().GetByIdentifierAsync(Arg.Any<string>(), Arg.Any<Guid>());
    }

    [Theory, BitAutoData]
@@ -617,7 +660,7 @@ public class DeviceValidatorTests
        // Autodata arranges

        // Act
-        var result = DeviceValidator.NewDeviceOtpRequest(request);
+        var result = DeviceValidator.RequestHasNewDeviceVerificationOtp(request);

        // Assert
        Assert.False(result);
@@ -631,7 +674,7 @@ public class DeviceValidatorTests
        request.Raw["NewDeviceOtp"] = "123456";

        // Act
-        var result = DeviceValidator.NewDeviceOtpRequest(request);
+        var result = DeviceValidator.RequestHasNewDeviceVerificationOtp(request);

        // Assert
        Assert.True(result);
@@ -655,7 +698,7 @@ public class DeviceValidatorTests
        ValidatedTokenRequest request)
    {
        context.KnownDevice = false;
-        request.GrantType = "password";
+        request.GrantType = GrantType.ResourceOwnerPassword;
        context.TwoFactorRequired = false;
        context.SsoRequired = false;
        if (context.User != null)