[AC-1192] Create endpoints for new Device Approvals page (#2993)

* [AC-1192] Create new OrganizationAuthRequestsController.cs * [AC-1192] Introduce OrganizationAdminAuthRequest model * [AC-1192] Add GetManyPendingByOrganizationId method to AuthRequest repository * [AC-1192] Add new list pending organization auth requests endpoint * [AC-1192] Add new GetManyAdminApprovalsByManyIdsAsync method to the AuthRequestRepository * [AC-1192] Make the response device identifier optional for admin approval requests * [AC-1192] Add endpoint for bulk denying admin device auth requests * [AC-1192] Add OrganizationUserId to PendingOrganizationAuthRequestResponseModel * [AC-1192] Add UpdateAuthRequest endpoint and logic to OrganizationAuthRequestsController * [AC-1192] Secure new endpoints behind TDE feature flag * [AC-1192] Formatting * [AC-1192] Add sql migration script * [AC-1192] Add optional OrganizationId column to AuthRequest entity - Rename migration script to match existing formatting - Add new column - Add migration scripts - Update new sprocs to filter/join on OrganizationId - Update old sprocs to include OrganizationId * [AC-1192] Format migration scripts * [AC-1192] Fix failing AuthRequest EF unit test * [AC-1192] Make OrganizationId optional in updated AuthRequest sprocs for backwards compatability * [AC-1192] Fix missing comma in migration file * [AC-1192] Rename Key to EncryptedUserKey to be more descriptive * [AC-1192] Move request validation into helper method to reduce repetition * [AC-1192] Return UnauthorizedAccessException instead of NotFound when user is missing permission * [AC-1192] Introduce FeatureUnavailableException * [AC-1192] Introduce RequireFeatureAttribute * [AC-1192] Utilize the new RequireFeatureAttribute in the OrganizationAuthRequestsController * [AC-1192] Attempt to fix out of sync database migration by moving new OrganizationId column * [AC-1192] More attempts to sync database migrations * [AC-1192] Formatting * [AC-1192] Remove unused reference to FeatureService * [AC-1192] Change Id types from String to Guid * [AC-1192] Add EncryptedString attribute * [AC-1192] Remove redundant OrganizationId property * [AC-1192] Switch to projection for OrganizationAdminAuthRequest mapping - Add new OrganizationUser relationship to EF entity - Replace AuthRequest DBContext config with new IEntityTypeConfiguration - Add navigation property to AuthRequest entity configuration for OrganizationUser - Update EF AuthRequestRepository to use new mapping and navigation properties * [AC-1192] Remove OrganizationUser navigation property
2024-11-22 12:15:36 +01:00 · 2023-06-15 14:54:08 -07:00 · 2023-06-15 14:54:08 -07:00 · 904b2fe205
commit 904b2fe205
parent bdd5e0916e
34 changed files with 7417 additions and 11 deletions
--- a/src/Api/Auth/Models/Request/AdminAuthRequestUpdateRequestModel.cs
+++ b/src/Api/Auth/Models/Request/AdminAuthRequestUpdateRequestModel.cs
@ -0,0 +1,13 @@
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Utilities;
 namespace Bit.Api.Auth.Models.Request;
 public class AdminAuthRequestUpdateRequestModel
 {
    [EncryptedString]
    public string EncryptedUserKey { get; set; }
    [Required]
    public bool RequestApproved { get; set; }
 }
--- a/src/Api/Auth/Models/Request/BulkDenyAdminAuthRequestRequestModel.cs
+++ b/src/Api/Auth/Models/Request/BulkDenyAdminAuthRequestRequestModel.cs
@ -0,0 +1,6 @@
 namespace Bit.Api.Auth.Models.Request;
 public class BulkDenyAdminAuthRequestRequestModel
 {
    public IEnumerable<Guid> Ids { get; set; }
 }
--- a/src/Api/Auth/Models/Response/PendingOrganizationAuthRequestResponseModel.cs
+++ b/src/Api/Auth/Models/Response/PendingOrganizationAuthRequestResponseModel.cs
@ -0,0 +1,38 @@
 using System.ComponentModel.DataAnnotations;
 using System.Reflection;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Models.Api;
 namespace Bit.Api.Auth.Models.Response;
 public class PendingOrganizationAuthRequestResponseModel : ResponseModel
 {
    public PendingOrganizationAuthRequestResponseModel(OrganizationAdminAuthRequest authRequest, string obj = "pending-org-auth-request") : base(obj)
    {
        if (authRequest == null)
        {
            throw new ArgumentNullException(nameof(authRequest));
        }
        Id = authRequest.Id;
        UserId = authRequest.UserId;
        OrganizationUserId = authRequest.OrganizationUserId;
        Email = authRequest.Email;
        PublicKey = authRequest.PublicKey;
        RequestDeviceIdentifier = authRequest.RequestDeviceIdentifier;
        RequestDeviceType = authRequest.RequestDeviceType.GetType().GetMember(authRequest.RequestDeviceType.ToString())
            .FirstOrDefault()?.GetCustomAttribute<DisplayAttribute>()?.GetName();
        RequestIpAddress = authRequest.RequestIpAddress;
        CreationDate = authRequest.CreationDate;
    }
    public Guid Id { get; set; }
    public Guid UserId { get; set; }
    public Guid OrganizationUserId { get; set; }
    public string Email { get; set; }
    public string PublicKey { get; set; }
    public string RequestDeviceIdentifier { get; set; }
    public string RequestDeviceType { get; set; }
    public string RequestIpAddress { get; set; }
    public DateTime CreationDate { get; set; }
 }
--- a/src/Api/Controllers/OrganizationAuthRequestsController.cs
+++ b/src/Api/Controllers/OrganizationAuthRequestsController.cs
@ -0,0 +1,83 @@
 using Bit.Api.Auth.Models.Request;
 using Bit.Api.Auth.Models.Response;
 using Bit.Api.Models.Response;
 using Bit.Core;
 using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Auth.Services;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 namespace Bit.Api.Controllers;
 [Route("organizations/{orgId}/auth-requests")]
 [Authorize("Application")]
 [RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)]
 public class OrganizationAuthRequestsController : Controller
 {
    private readonly IAuthRequestRepository _authRequestRepository;
    private readonly ICurrentContext _currentContext;
    private readonly IAuthRequestService _authRequestService;
    public OrganizationAuthRequestsController(IAuthRequestRepository authRequestRepository,
        ICurrentContext currentContext, IAuthRequestService authRequestService)
    {
        _authRequestRepository = authRequestRepository;
        _currentContext = currentContext;
        _authRequestService = authRequestService;
    }
    [HttpGet("")]
    public async Task<ListResponseModel<PendingOrganizationAuthRequestResponseModel>> GetPendingRequests(Guid orgId)
    {
        await ValidateAdminRequest(orgId);
        var authRequests = await _authRequestRepository.GetManyPendingByOrganizationIdAsync(orgId);
        var responses = authRequests
            .Select(a => new PendingOrganizationAuthRequestResponseModel(a))
            .ToList();
        return new ListResponseModel<PendingOrganizationAuthRequestResponseModel>(responses);
    }
    [HttpPost("{requestId}")]
    public async Task UpdateAuthRequest(Guid orgId, Guid requestId, [FromBody] AdminAuthRequestUpdateRequestModel model)
    {
        await ValidateAdminRequest(orgId);
        var authRequest =
            (await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, new[] { requestId })).FirstOrDefault();
        if (authRequest == null || authRequest.OrganizationId != orgId)
        {
            throw new NotFoundException();
        }
        await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
            new AuthRequestUpdateRequestModel { RequestApproved = model.RequestApproved, Key = model.EncryptedUserKey });
    }
    [HttpPost("deny")]
    public async Task BulkDenyRequests(Guid orgId, [FromBody] BulkDenyAdminAuthRequestRequestModel model)
    {
        await ValidateAdminRequest(orgId);
        var authRequests = await _authRequestRepository.GetManyAdminApprovalRequestsByManyIdsAsync(orgId, model.Ids);
        foreach (var authRequest in authRequests)
        {
            await _authRequestService.UpdateAuthRequestAsync(authRequest.Id, authRequest.UserId,
                new AuthRequestUpdateRequestModel { RequestApproved = false, });
        }
    }
    private async Task ValidateAdminRequest(Guid orgId)
    {
        if (!await _currentContext.ManageResetPassword(orgId))
        {
            throw new UnauthorizedAccessException();
        }
    }
 }
--- a/src/Core/Auth/Entities/AuthRequest.cs
+++ b/src/Core/Auth/Entities/AuthRequest.cs
@ -9,6 +9,7 @@ public class AuthRequest : ITableObject<Guid>
 {
    public Guid Id { get; set; }
    public Guid UserId { get; set; }
    public Guid? OrganizationId { get; set; }
    public Enums.AuthRequestType Type { get; set; }
    [MaxLength(50)]
    public string RequestDeviceIdentifier { get; set; }
--- a/src/Core/Auth/Enums/AuthRequestType.cs
+++ b/src/Core/Auth/Enums/AuthRequestType.cs
@ -3,5 +3,6 @@
 public enum AuthRequestType : byte
 {
    AuthenticateAndUnlock = 0,
-    Unlock = 1
+    Unlock = 1,
    AdminApproval = 2,
 }
--- a/src/Core/Auth/Models/Data/OrganizationAdminAuthRequest.cs
+++ b/src/Core/Auth/Models/Data/OrganizationAdminAuthRequest.cs
@ -0,0 +1,18 @@
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 namespace Bit.Core.Auth.Models.Data;
 /// <summary>
 /// Represents an <see cref="AuthRequestType.AdminApproval"/> AuthRequest.
 /// Includes additional user and organization information.
 /// </summary>
 public class OrganizationAdminAuthRequest : AuthRequest
 {
    /// <summary>
    /// Email address of the requesting user
    /// </summary>
    public string Email { get; set; }
    public Guid OrganizationUserId { get; set; }
 }
--- a/src/Core/Auth/Repositories/IAuthRequestRepository.cs
+++ b/src/Core/Auth/Repositories/IAuthRequestRepository.cs
@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Data;
 namespace Bit.Core.Repositories;
@ -6,4 +7,6 @@ public interface IAuthRequestRepository : IRepository<AuthRequest, Guid>
 {
    Task<int> DeleteExpiredAsync();
    Task<ICollection<AuthRequest>> GetManyByUserIdAsync(Guid userId);
    Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId);
    Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids);
 }
--- a/src/Core/Auth/Services/Implementations/AuthRequestService.cs
+++ b/src/Core/Auth/Services/Implementations/AuthRequestService.cs
@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Exceptions;
 using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Context;
@ -119,13 +120,17 @@ public class AuthRequestService : IAuthRequestService
            throw new DuplicateAuthRequestException();
        }
        // Admin approval responses are not tied to a specific device, so we don't need to validate it.
        if (authRequest.Type != AuthRequestType.AdminApproval)
        {
            var device = await _deviceRepository.GetByIdentifierAsync(model.DeviceIdentifier, userId);
            if (device == null)
            {
                throw new BadRequestException("Invalid device.");
            }
            authRequest.ResponseDeviceId = device.Id;
        }
        authRequest.ResponseDate = DateTime.UtcNow;
        authRequest.Approved = model.RequestApproved;
--- a/src/Core/Exceptions/FeatureUnavailableException.cs
+++ b/src/Core/Exceptions/FeatureUnavailableException.cs
@ -0,0 +1,14 @@
 namespace Bit.Core.Exceptions;
 /// <summary>
 /// Exception to throw when a requested feature is not yet enabled/available for the requesting context.
 /// </summary>
 public class FeatureUnavailableException : NotFoundException
 {
    public FeatureUnavailableException()
    { }
    public FeatureUnavailableException(string message)
        : base(message)
    { }
 }
--- a/src/Core/Utilities/RequireFeatureAttribute.cs
+++ b/src/Core/Utilities/RequireFeatureAttribute.cs
@ -0,0 +1,36 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.DependencyInjection;
 namespace Bit.Core.Utilities;
 /// <summary>
 /// Specifies that the class or method that this attribute is applied to requires the specified boolean feature flag
 /// to be enabled. If the feature flag is not enabled, a <see cref="FeatureUnavailableException"/> is thrown
 /// </summary>
 public class RequireFeatureAttribute : ActionFilterAttribute
 {
    private readonly string _featureFlagKey;
    /// <summary>
    /// Initializes a new instance of the <see cref="RequireFeatureAttribute"/> class with the specified feature flag key.
    /// </summary>
    /// <param name="featureFlagKey">The name of the feature flag to require.</param>
    public RequireFeatureAttribute(string featureFlagKey)
    {
        _featureFlagKey = featureFlagKey;
    }
    public override void OnActionExecuting(ActionExecutingContext context)
    {
        var currentContext = context.HttpContext.RequestServices.GetRequiredService<ICurrentContext>();
        var featureService = context.HttpContext.RequestServices.GetRequiredService<IFeatureService>();
        if (!featureService.IsEnabled(_featureFlagKey, currentContext))
        {
            throw new FeatureUnavailableException();
        }
    }
 }
--- a/src/Infrastructure.Dapper/Auth/Repositories/AuthRequestRepository.cs
+++ b/src/Infrastructure.Dapper/Auth/Repositories/AuthRequestRepository.cs
@ -1,5 +1,6 @@
 using System.Data;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Bit.Infrastructure.Dapper.Repositories;
@ -41,4 +42,30 @@ public class AuthRequestRepository : Repository<AuthRequest, Guid>, IAuthRequest
            return results.ToList();
        }
    }
    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
                $"[{Schema}].[AuthRequest_ReadPendingByOrganizationId]",
                new { OrganizationId = organizationId },
                commandType: CommandType.StoredProcedure);
            return results.ToList();
        }
    }
    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(Guid organizationId, IEnumerable<Guid> ids)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var results = await connection.QueryAsync<OrganizationAdminAuthRequest>(
                $"[{Schema}].[AuthRequest_ReadAdminApprovalsByIds]",
                new { OrganizationId = organizationId, Ids = ids.ToGuidIdArrayTVP() },
                commandType: CommandType.StoredProcedure);
            return results.ToList();
        }
    }
 }
--- a/src/Infrastructure.EntityFramework/Auth/Configurations/AuthRequestConfiguration.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Configurations/AuthRequestConfiguration.cs
@ -0,0 +1,14 @@
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Metadata.Builders;
 namespace Bit.Infrastructure.EntityFramework.Auth.Configurations;
 public class AuthRequestConfiguration : IEntityTypeConfiguration<AuthRequest>
 {
    public void Configure(EntityTypeBuilder<AuthRequest> builder)
    {
        builder.Property(ar => ar.Id).ValueGeneratedNever();
        builder.ToTable(nameof(AuthRequest));
    }
 }
--- a/src/Infrastructure.EntityFramework/Auth/Models/AuthRequest.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Models/AuthRequest.cs
@ -1,4 +1,5 @@
 using AutoMapper;
 using Bit.Core.Auth.Models.Data;
 using Bit.Infrastructure.EntityFramework.Models;
 namespace Bit.Infrastructure.EntityFramework.Auth.Models;
@ -7,6 +8,7 @@ public class AuthRequest : Core.Auth.Entities.AuthRequest
 {
    public virtual User User { get; set; }
    public virtual Device ResponseDevice { get; set; }
    public virtual Organization Organization { get; set; }
 }
 public class AuthRequestMapperProfile : Profile
@ -14,5 +16,9 @@ public class AuthRequestMapperProfile : Profile
    public AuthRequestMapperProfile()
    {
        CreateMap<Core.Auth.Entities.AuthRequest, AuthRequest>().ReverseMap();
        CreateProjection<AuthRequest, OrganizationAdminAuthRequest>()
            .ForMember(m => m.Email, opt => opt.MapFrom(t => t.User.Email))
            .ForMember(m => m.OrganizationUserId, opt => opt.MapFrom(
                t => t.User.OrganizationUsers.FirstOrDefault(ou => ou.OrganizationId == t.OrganizationId && ou.UserId == t.UserId).Id));
    }
 }
--- a/src/Infrastructure.EntityFramework/Auth/Repositories/AuthRequestRepository.cs
+++ b/src/Infrastructure.EntityFramework/Auth/Repositories/AuthRequestRepository.cs
@ -1,4 +1,7 @@
 using AutoMapper;
 using AutoMapper.QueryableExtensions;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Bit.Infrastructure.EntityFramework.Repositories;
@ -33,4 +36,32 @@ public class AuthRequestRepository : Repository<Core.Auth.Entities.AuthRequest,
            return Mapper.Map<List<Core.Auth.Entities.AuthRequest>>(userAuthRequests);
        }
    }
    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyPendingByOrganizationIdAsync(Guid organizationId)
    {
        using (var scope = ServiceScopeFactory.CreateScope())
        {
            var dbContext = GetDatabaseContext(scope);
            var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
                                             where ar.OrganizationId.Equals(organizationId) && ar.ResponseDate == null && ar.Type == AuthRequestType.AdminApproval
                                             select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
            return orgUserAuthRequests;
        }
    }
    public async Task<ICollection<OrganizationAdminAuthRequest>> GetManyAdminApprovalRequestsByManyIdsAsync(
        Guid organizationId,
        IEnumerable<Guid> ids)
    {
        using (var scope = ServiceScopeFactory.CreateScope())
        {
            var dbContext = GetDatabaseContext(scope);
            var orgUserAuthRequests = await (from ar in dbContext.AuthRequests
                                             where ar.OrganizationId.Equals(organizationId) && ids.Contains(ar.Id) && ar.Type == AuthRequestType.AdminApproval
                                             select ar).ProjectTo<OrganizationAdminAuthRequest>(Mapper.ConfigurationProvider).ToListAsync();
            return orgUserAuthRequests;
        }
    }
 }
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
@ -97,7 +97,6 @@ public class DatabaseContext : DbContext
        var eUser = builder.Entity<User>();
        var eOrganizationApiKey = builder.Entity<OrganizationApiKey>();
        var eOrganizationConnection = builder.Entity<OrganizationConnection>();
        var eAuthRequest = builder.Entity<AuthRequest>();
        var eOrganizationDomain = builder.Entity<OrganizationDomain>();
        eCipher.Property(c => c.Id).ValueGeneratedNever();
@ -119,7 +118,6 @@ public class DatabaseContext : DbContext
        eUser.Property(c => c.Id).ValueGeneratedNever();
        eOrganizationApiKey.Property(c => c.Id).ValueGeneratedNever();
        eOrganizationConnection.Property(c => c.Id).ValueGeneratedNever();
        eAuthRequest.Property(ar => ar.Id).ValueGeneratedNever();
        eOrganizationDomain.Property(ar => ar.Id).ValueGeneratedNever();
        eCollectionCipher.HasKey(cc => new { cc.CollectionId, cc.CipherId });
@ -171,7 +169,6 @@ public class DatabaseContext : DbContext
        eUser.ToTable(nameof(User));
        eOrganizationApiKey.ToTable(nameof(OrganizationApiKey));
        eOrganizationConnection.ToTable(nameof(OrganizationConnection));
        eAuthRequest.ToTable(nameof(AuthRequest));
        eOrganizationDomain.ToTable(nameof(OrganizationDomain));
        ConfigureDateTimeUtcQueries(builder);
--- a/Procedures/AuthRequest_Create.sql
+++ b/Procedures/AuthRequest_Create.sql
@ -1,6 +1,7 @@
 CREATE PROCEDURE [dbo].[AuthRequest_Create]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @UserId UNIQUEIDENTIFIER,
    @OrganizationId UNIQUEIDENTIFIER = NULL,
    @Type TINYINT,
    @RequestDeviceIdentifier NVARCHAR(50),
    @RequestDeviceType TINYINT,
@ -22,6 +23,7 @@ BEGIN
    (
        [Id],
        [UserId],
        [OrganizationId],
        [Type],
        [RequestDeviceIdentifier],
        [RequestDeviceType],
@ -40,6 +42,7 @@ BEGIN
    (
        @Id,
        @UserId,
        @OrganizationId,
        @Type,
        @RequestDeviceIdentifier,
        @RequestDeviceType,
--- a/Procedures/AuthRequest_ReadAdminApprovalsByIds.sql
+++ b/Procedures/AuthRequest_ReadAdminApprovalsByIds.sql
@ -0,0 +1,20 @@
 CREATE PROCEDURE [dbo].[AuthRequest_ReadAdminApprovalsByIds]
 	@OrganizationId UNIQUEIDENTIFIER,
 	@Ids AS [dbo].[GuidIdArray] READONLY
 AS
 BEGIN
    SET NOCOUNT ON
 SELECT
    ar.*, ou.[Email], ou.[Id] AS [OrganizationUserId]
 FROM
    [dbo].[AuthRequestView] ar
    INNER JOIN
        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
    WHERE
        ar.[OrganizationId] = @OrganizationId
    AND
        ar.[Type] = 2 -- AdminApproval
    AND
        ar.[Id] IN (SELECT [Id] FROM @Ids)
 END
--- a/Procedures/AuthRequest_ReadPendingByOrganizationId.sql
+++ b/Procedures/AuthRequest_ReadPendingByOrganizationId.sql
@ -0,0 +1,19 @@
 CREATE PROCEDURE [dbo].[AuthRequest_ReadPendingByOrganizationId]
    @OrganizationId UNIQUEIDENTIFIER
 AS
 BEGIN
    SET NOCOUNT ON
 SELECT
    ar.*, ou.[Email], ou.[OrganizationId], ou.[Id] AS [OrganizationUserId]
 FROM
    [dbo].[AuthRequestView] ar
    INNER JOIN
        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
    WHERE
        ar.[OrganizationId] = @OrganizationId 
    AND 
        ar.[ResponseDate] IS NULL
    AND
        ar.[Type] = 2 -- AdminApproval
 END
--- a/Procedures/AuthRequest_Update.sql
+++ b/Procedures/AuthRequest_Update.sql
@ -1,6 +1,7 @@
 CREATE PROCEDURE [dbo].[AuthRequest_Update]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @UserId UNIQUEIDENTIFIER,
    @OrganizationId UNIQUEIDENTIFIER = NULL,
    @Type SMALLINT, 
    @RequestDeviceIdentifier NVARCHAR(50),
    @RequestDeviceType SMALLINT,
@ -23,6 +24,7 @@ BEGIN
    SET
        [UserId] = @UserId,
        [Type] = @Type,
        [OrganizationId] = @OrganizationId,
        [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
        [RequestDeviceType] = @RequestDeviceType,
        [RequestIpAddress] = @RequestIpAddress,
--- a/src/Sql/Auth/dbo/Tables/AuthRequest.sql
+++ b/src/Sql/Auth/dbo/Tables/AuthRequest.sql
@ -14,9 +14,11 @@
    [CreationDate]              DATETIME2 (7)    NOT NULL,
    [ResponseDate]              DATETIME2 (7)    NULL,
    [AuthenticationDate]        DATETIME2 (7)    NULL,
    [OrganizationId]            UNIQUEIDENTIFIER NULL,
    CONSTRAINT [PK_AuthRequest] PRIMARY KEY CLUSTERED ([Id] ASC),
    CONSTRAINT [FK_AuthRequest_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id]),
-    CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id])
+    CONSTRAINT [FK_AuthRequest_ResponseDevice] FOREIGN KEY ([ResponseDeviceId]) REFERENCES [dbo].[Device] ([Id]),
    CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
 );
--- a/test/Core.Test/Utilities/RequireFeatureAttributeTests.cs
+++ b/test/Core.Test/Utilities/RequireFeatureAttributeTests.cs
@ -0,0 +1,85 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Abstractions;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection;
 using NSubstitute;
 using Xunit;
 namespace Bit.Core.Test.Utilities;
 public class RequireFeatureAttributeTests
 {
    private const string _testFeature = "test-feature";
    [Fact]
    public void Throws_When_Feature_Disabled()
    {
        // Arrange
        var rfa = new RequireFeatureAttribute(_testFeature);
        // Act & Assert
        Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
    }
    [Fact]
    public void Throws_When_Feature_Not_Found()
    {
        // Arrange
        var rfa = new RequireFeatureAttribute("missing-feature");
        // Act & Assert
        Assert.Throws<FeatureUnavailableException>(() => rfa.OnActionExecuting(GetContext(enabled: false)));
    }
    [Fact]
    public void Success_When_Feature_Enabled()
    {
        // Arrange
        var rfa = new RequireFeatureAttribute(_testFeature);
        // Act
        rfa.OnActionExecuting(GetContext(enabled: true));
        // Assert
        // The Assert here is NOT throwing an exception
    }
    /// <summary>
    /// Generates a ActionExecutingContext with the necessary services registered to test
    /// the <see cref="RequireFeatureAttribute"/>
    /// </summary>
    /// <param name="enabled">Mock value for the <see cref="_testFeature"/> flag</param>
    /// <returns></returns>
    private static ActionExecutingContext GetContext(bool enabled)
    {
        IServiceCollection services = new ServiceCollection();
        var featureService = Substitute.For<IFeatureService>();
        var currentContext = Substitute.For<ICurrentContext>();
        featureService.IsEnabled(_testFeature, Arg.Any<ICurrentContext>()).Returns(enabled);
        services.AddSingleton(featureService);
        services.AddSingleton(currentContext);
        var httpContext = new DefaultHttpContext();
        httpContext.RequestServices = services.BuildServiceProvider();
        var context = Substitute.For<ActionExecutingContext>(
            Substitute.For<ActionContext>(httpContext,
                new RouteData(),
                Substitute.For<ActionDescriptor>()),
            new List<IFilterMetadata>(),
            new Dictionary<string, object>(),
            Substitute.For<Controller>());
        return context;
    }
 }
--- a/test/Infrastructure.EFIntegration.Test/Auth/AutoFixture/AuthRequestFixtures.cs
+++ b/test/Infrastructure.EFIntegration.Test/Auth/AutoFixture/AuthRequestFixtures.cs
@ -41,9 +41,11 @@ internal class EfAuthRequest : ICustomization
        fixture.Customizations.Add(new GlobalSettingsBuilder());
        fixture.Customizations.Add(new AuthRequestBuilder());
        fixture.Customizations.Add(new DeviceBuilder());
        fixture.Customizations.Add(new OrganizationBuilder());
        fixture.Customizations.Add(new UserBuilder());
        fixture.Customizations.Add(new EfRepositoryListBuilder<AuthRequestRepository>());
        fixture.Customizations.Add(new EfRepositoryListBuilder<DeviceRepository>());
        fixture.Customizations.Add(new EfRepositoryListBuilder<OrganizationRepository>());
        fixture.Customizations.Add(new EfRepositoryListBuilder<UserRepository>());
    }
 }
--- a/test/Infrastructure.EFIntegration.Test/Auth/Repositories/AuthRequestRepositoryTests.cs
+++ b/test/Infrastructure.EFIntegration.Test/Auth/Repositories/AuthRequestRepositoryTests.cs
@ -19,9 +19,12 @@ public class AuthRequestRepositoryTests
        AuthRequestCompare equalityComparer,
        List<EfAuthRepo.AuthRequestRepository> suts,
        SqlAuthRepo.AuthRequestRepository sqlAuthRequestRepo,
        Organization organization,
        User user,
        List<EfRepo.UserRepository> efUserRepos,
-        SqlRepo.UserRepository sqlUserRepo
+        List<EfRepo.OrganizationRepository> efOrgRepos,
        SqlRepo.UserRepository sqlUserRepo,
        SqlRepo.OrganizationRepository sqlOrgRepo
        )
    {
        authRequest.ResponseDeviceId = null;
@ -34,6 +37,10 @@ public class AuthRequestRepositoryTests
            sut.ClearChangeTracking();
            authRequest.UserId = efUser.Id;
            var efOrg = await efOrgRepos[i].CreateAsync(organization);
            sut.ClearChangeTracking();
            authRequest.OrganizationId = efOrg.Id;
            var postEfAuthRequest = await sut.CreateAsync(authRequest);
            sut.ClearChangeTracking();
@ -43,6 +50,8 @@ public class AuthRequestRepositoryTests
        var sqlUser = await sqlUserRepo.CreateAsync(user);
        authRequest.UserId = sqlUser.Id;
        var sqlOrg = await sqlOrgRepo.CreateAsync(organization);
        authRequest.OrganizationId = sqlOrg.Id;
        var sqlAuthRequest = await sqlAuthRequestRepo.CreateAsync(authRequest);
        var savedSqlAuthRequest = await sqlAuthRequestRepo.GetByIdAsync(sqlAuthRequest.Id);
        savedAuthRequests.Add(savedSqlAuthRequest);
--- a/util/Migrator/DbScripts/2023-06-01_00_TdeAdminApproval.sql
+++ b/util/Migrator/DbScripts/2023-06-01_00_TdeAdminApproval.sql
@ -0,0 +1,193 @@
 --Add OrganizationId Column and Foreign Key
 IF COL_LENGTH('[dbo].[AuthRequest]', 'OrganizationId') IS NULL
 BEGIN
 ALTER TABLE
    [dbo].[AuthRequest]
    ADD [OrganizationId] UNIQUEIDENTIFIER NULL;
    ALTER TABLE 
    [dbo].[AuthRequest]
    ADD CONSTRAINT [FK_AuthRequest_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
 END
 GO
 -- Drop and recreate view
 IF EXISTS(SELECT * FROM sys.views WHERE [Name] = 'AuthRequestView')
    BEGIN
        DROP VIEW [dbo].[AuthRequestView]
    END
 GO
 CREATE VIEW [dbo].[AuthRequestView]
 AS
 SELECT
    *
 FROM
    [dbo].[AuthRequest]
 GO
 --Drop existing SPROC
 IF OBJECT_ID('[dbo].[AuthRequest_Update]') IS NOT NULL
    BEGIN
        DROP PROCEDURE [dbo].[AuthRequest_Update]
    END
 GO
 --Create SPROC with OrganizationId column
 CREATE PROCEDURE [dbo].[AuthRequest_Update]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @UserId UNIQUEIDENTIFIER,
    @OrganizationId UNIQUEIDENTIFIER = NULL,
    @Type SMALLINT, 
    @RequestDeviceIdentifier NVARCHAR(50),
    @RequestDeviceType SMALLINT,
    @RequestIpAddress VARCHAR(50),
    @ResponseDeviceId UNIQUEIDENTIFIER,
    @AccessCode VARCHAR(25),
    @PublicKey VARCHAR(MAX),
    @Key VARCHAR(MAX),
    @MasterPasswordHash VARCHAR(MAX),
    @Approved BIT,
    @CreationDate DATETIME2 (7),
    @ResponseDate DATETIME2 (7),
    @AuthenticationDate DATETIME2 (7)    
 AS
 BEGIN
    SET NOCOUNT ON
 UPDATE
    [dbo].[AuthRequest]
 SET
    [UserId] = @UserId,
    [Type] = @Type,
    [OrganizationId] = @OrganizationId,
    [RequestDeviceIdentifier] = @RequestDeviceIdentifier,
    [RequestDeviceType] = @RequestDeviceType,
    [RequestIpAddress] = @RequestIpAddress,
    [ResponseDeviceId] = @ResponseDeviceId,
    [AccessCode] = @AccessCode,
    [PublicKey] = @PublicKey,
    [Key] = @Key,
    [MasterPasswordHash] = @MasterPasswordHash,
    [Approved] = @Approved,
    [CreationDate] = @CreationDate,
    [ResponseDate] = @ResponseDate,
    [AuthenticationDate] = @AuthenticationDate
 WHERE
    [Id] = @Id
 END
 GO
 --Drop existing SPROC
 IF OBJECT_ID('[dbo].[AuthRequest_Create]') IS NOT NULL
 BEGIN
        DROP PROCEDURE [dbo].[AuthRequest_Create]
 END
 GO
 --Create SPROC with OrganizationId column
 CREATE PROCEDURE [dbo].[AuthRequest_Create]
    @Id UNIQUEIDENTIFIER OUTPUT,
    @UserId UNIQUEIDENTIFIER,
    @OrganizationId UNIQUEIDENTIFIER = NULL,
    @Type TINYINT,
    @RequestDeviceIdentifier NVARCHAR(50),
    @RequestDeviceType TINYINT,
    @RequestIpAddress VARCHAR(50),
    @ResponseDeviceId UNIQUEIDENTIFIER,
    @AccessCode VARCHAR(25),
    @PublicKey VARCHAR(MAX),
    @Key VARCHAR(MAX),
    @MasterPasswordHash VARCHAR(MAX),
    @Approved BIT,
    @CreationDate DATETIME2(7),
    @ResponseDate DATETIME2(7),
    @AuthenticationDate DATETIME2(7)
 AS
 BEGIN
    SET NOCOUNT ON
    INSERT INTO [dbo].[AuthRequest]
    (
        [Id],
        [UserId],
        [OrganizationId],
        [Type],
        [RequestDeviceIdentifier],
        [RequestDeviceType],
        [RequestIpAddress],
        [ResponseDeviceId],
        [AccessCode],
        [PublicKey],
        [Key],
        [MasterPasswordHash],
        [Approved],
        [CreationDate],
        [ResponseDate],
        [AuthenticationDate]
    )
    VALUES
    (
        @Id,
        @UserId,
        @OrganizationId,
        @Type,
        @RequestDeviceIdentifier,
        @RequestDeviceType,
        @RequestIpAddress,
        @ResponseDeviceId,
        @AccessCode,
        @PublicKey,
        @Key,
        @MasterPasswordHash,
        @Approved,
        @CreationDate,
        @ResponseDate,
        @AuthenticationDate
    )
 END
 Go
 -- New SPROC
 CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_ReadAdminApprovalsByIds]
 	@OrganizationId UNIQUEIDENTIFIER,
 	@Ids AS [dbo].[GuidIdArray] READONLY
 AS
 BEGIN
    SET NOCOUNT ON
 SELECT
    ar.*, ou.[Email], ou.[Id] AS [OrganizationUserId]
 FROM
    [dbo].[AuthRequestView] ar
    INNER JOIN
        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
    WHERE
        ar.[OrganizationId] = @OrganizationId
    AND
        ar.[Type] = 2 -- AdminApproval
    AND
        ar.[Id] IN (SELECT [Id] FROM @Ids)
 END
 GO
 -- New SPROC
 CREATE OR ALTER PROCEDURE [dbo].[AuthRequest_ReadPendingByOrganizationId]
    @OrganizationId UNIQUEIDENTIFIER
 AS
 BEGIN
    SET NOCOUNT ON
 SELECT
    ar.*, ou.[Email], ou.[OrganizationId], ou.[Id] AS [OrganizationUserId]
 FROM
    [dbo].[AuthRequestView] ar
    INNER JOIN
        [dbo].[OrganizationUser] ou ON ou.[UserId] = ar.[UserId] AND ou.[OrganizationId] = ar.[OrganizationId]
    WHERE
        ar.[OrganizationId] = @OrganizationId
    AND
        ar.[ResponseDate] IS NULL
    AND
        ar.[Type] = 2 -- AdminApproval
 END
 GO
--- a/util/MySqlMigrations/Migrations/20230605183142_TdeAdminApproval.Designer.cs
+++ b/util/MySqlMigrations/Migrations/20230605183142_TdeAdminApproval.Designer.cs
--- a/util/MySqlMigrations/Migrations/20230605183142_TdeAdminApproval.cs
+++ b/util/MySqlMigrations/Migrations/20230605183142_TdeAdminApproval.cs
@ -0,0 +1,45 @@
 using Microsoft.EntityFrameworkCore.Migrations;
 #nullable disable
 namespace Bit.MySqlMigrations.Migrations;
 public partial class TdeAdminApproval : Migration
 {
    protected override void Up(MigrationBuilder migrationBuilder)
    {
        migrationBuilder.AddColumn<Guid>(
            name: "OrganizationId",
            table: "AuthRequest",
            type: "char(36)",
            nullable: true,
            collation: "ascii_general_ci");
        migrationBuilder.CreateIndex(
            name: "IX_AuthRequest_OrganizationId",
            table: "AuthRequest",
            column: "OrganizationId");
        migrationBuilder.AddForeignKey(
            name: "FK_AuthRequest_Organization_OrganizationId",
            table: "AuthRequest",
            column: "OrganizationId",
            principalTable: "Organization",
            principalColumn: "Id");
    }
    protected override void Down(MigrationBuilder migrationBuilder)
    {
        migrationBuilder.DropForeignKey(
            name: "FK_AuthRequest_Organization_OrganizationId",
            table: "AuthRequest");
        migrationBuilder.DropIndex(
            name: "IX_AuthRequest_OrganizationId",
            table: "AuthRequest");
        migrationBuilder.DropColumn(
            name: "OrganizationId",
            table: "AuthRequest");
    }
 }
--- a/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
@ -43,6 +43,9 @@ namespace Bit.MySqlMigrations.Migrations
                    b.Property<string>("MasterPasswordHash")
                        .HasColumnType("longtext");
                    b.Property<Guid?>("OrganizationId")
                        .HasColumnType("char(36)");
                    b.Property<string>("PublicKey")
                        .HasColumnType("longtext");
@ -71,6 +74,8 @@ namespace Bit.MySqlMigrations.Migrations
                    b.HasKey("Id");
                    b.HasIndex("OrganizationId");
                    b.HasIndex("ResponseDeviceId");
                    b.HasIndex("UserId");
@ -1658,6 +1663,10 @@ namespace Bit.MySqlMigrations.Migrations
            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
                {
                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
                        .WithMany()
                        .HasForeignKey("OrganizationId");
                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
                        .WithMany()
                        .HasForeignKey("ResponseDeviceId");
@ -1668,6 +1677,8 @@ namespace Bit.MySqlMigrations.Migrations
                        .OnDelete(DeleteBehavior.Cascade)
                        .IsRequired();
                    b.Navigation("Organization");
                    b.Navigation("ResponseDevice");
                    b.Navigation("User");
--- a/util/PostgresMigrations/Migrations/20230605182609_TdeAdminApproval.Designer.cs
+++ b/util/PostgresMigrations/Migrations/20230605182609_TdeAdminApproval.Designer.cs
--- a/util/PostgresMigrations/Migrations/20230605182609_TdeAdminApproval.cs
+++ b/util/PostgresMigrations/Migrations/20230605182609_TdeAdminApproval.cs
@ -0,0 +1,44 @@
 using Microsoft.EntityFrameworkCore.Migrations;
 #nullable disable
 namespace Bit.PostgresMigrations.Migrations;
 public partial class TdeAdminApproval : Migration
 {
    protected override void Up(MigrationBuilder migrationBuilder)
    {
        migrationBuilder.AddColumn<Guid>(
            name: "OrganizationId",
            table: "AuthRequest",
            type: "uuid",
            nullable: true);
        migrationBuilder.CreateIndex(
            name: "IX_AuthRequest_OrganizationId",
            table: "AuthRequest",
            column: "OrganizationId");
        migrationBuilder.AddForeignKey(
            name: "FK_AuthRequest_Organization_OrganizationId",
            table: "AuthRequest",
            column: "OrganizationId",
            principalTable: "Organization",
            principalColumn: "Id");
    }
    protected override void Down(MigrationBuilder migrationBuilder)
    {
        migrationBuilder.DropForeignKey(
            name: "FK_AuthRequest_Organization_OrganizationId",
            table: "AuthRequest");
        migrationBuilder.DropIndex(
            name: "IX_AuthRequest_OrganizationId",
            table: "AuthRequest");
        migrationBuilder.DropColumn(
            name: "OrganizationId",
            table: "AuthRequest");
    }
 }
--- a/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
@ -47,6 +47,9 @@ namespace Bit.PostgresMigrations.Migrations
                    b.Property<string>("MasterPasswordHash")
                        .HasColumnType("text");
                    b.Property<Guid?>("OrganizationId")
                        .HasColumnType("uuid");
                    b.Property<string>("PublicKey")
                        .HasColumnType("text");
@ -75,6 +78,8 @@ namespace Bit.PostgresMigrations.Migrations
                    b.HasKey("Id");
                    b.HasIndex("OrganizationId");
                    b.HasIndex("ResponseDeviceId");
                    b.HasIndex("UserId");
@ -1669,6 +1674,10 @@ namespace Bit.PostgresMigrations.Migrations
            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
                {
                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
                        .WithMany()
                        .HasForeignKey("OrganizationId");
                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
                        .WithMany()
                        .HasForeignKey("ResponseDeviceId");
@ -1679,6 +1688,8 @@ namespace Bit.PostgresMigrations.Migrations
                        .OnDelete(DeleteBehavior.Cascade)
                        .IsRequired();
                    b.Navigation("Organization");
                    b.Navigation("ResponseDevice");
                    b.Navigation("User");
--- a/util/SqliteMigrations/Migrations/20230605182605_TdeAdminApproval.Designer.cs
+++ b/util/SqliteMigrations/Migrations/20230605182605_TdeAdminApproval.Designer.cs
--- a/util/SqliteMigrations/Migrations/20230605182605_TdeAdminApproval.cs
+++ b/util/SqliteMigrations/Migrations/20230605182605_TdeAdminApproval.cs
@ -0,0 +1,44 @@
 using Microsoft.EntityFrameworkCore.Migrations;
 #nullable disable
 namespace Bit.SqliteMigrations.Migrations;
 public partial class TdeAdminApproval : Migration
 {
    protected override void Up(MigrationBuilder migrationBuilder)
    {
        migrationBuilder.AddColumn<Guid>(
            name: "OrganizationId",
            table: "AuthRequest",
            type: "TEXT",
            nullable: true);
        migrationBuilder.CreateIndex(
            name: "IX_AuthRequest_OrganizationId",
            table: "AuthRequest",
            column: "OrganizationId");
        migrationBuilder.AddForeignKey(
            name: "FK_AuthRequest_Organization_OrganizationId",
            table: "AuthRequest",
            column: "OrganizationId",
            principalTable: "Organization",
            principalColumn: "Id");
    }
    protected override void Down(MigrationBuilder migrationBuilder)
    {
        migrationBuilder.DropForeignKey(
            name: "FK_AuthRequest_Organization_OrganizationId",
            table: "AuthRequest");
        migrationBuilder.DropIndex(
            name: "IX_AuthRequest_OrganizationId",
            table: "AuthRequest");
        migrationBuilder.DropColumn(
            name: "OrganizationId",
            table: "AuthRequest");
    }
 }
--- a/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
+++ b/util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
@ -41,6 +41,9 @@ namespace Bit.SqliteMigrations.Migrations
                    b.Property<string>("MasterPasswordHash")
                        .HasColumnType("TEXT");
                    b.Property<Guid?>("OrganizationId")
                        .HasColumnType("TEXT");
                    b.Property<string>("PublicKey")
                        .HasColumnType("TEXT");
@ -69,6 +72,8 @@ namespace Bit.SqliteMigrations.Migrations
                    b.HasKey("Id");
                    b.HasIndex("OrganizationId");
                    b.HasIndex("ResponseDeviceId");
                    b.HasIndex("UserId");
@ -1656,6 +1661,10 @@ namespace Bit.SqliteMigrations.Migrations
            modelBuilder.Entity("Bit.Infrastructure.EntityFramework.Auth.Models.AuthRequest", b =>
                {
                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Organization", "Organization")
                        .WithMany()
                        .HasForeignKey("OrganizationId");
                    b.HasOne("Bit.Infrastructure.EntityFramework.Models.Device", "ResponseDevice")
                        .WithMany()
                        .HasForeignKey("ResponseDeviceId");
@ -1666,6 +1675,8 @@ namespace Bit.SqliteMigrations.Migrations
                        .OnDelete(DeleteBehavior.Cascade)
                        .IsRequired();
                    b.Navigation("Organization");
                    b.Navigation("ResponseDevice");
                    b.Navigation("User");