PM-34130 - PR feedback resolution

JaredSnider-Bitwarden · JaredSnider-Bitwarden · commit 17980b0e397d · 2026-04-08T18:53:20.000-04:00
diff --git a/src/Sql/dbo/Auth/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql b/src/Sql/dbo/Auth/Stored Procedures/Device_ReadActiveWithPendingAuthRequestsByUserId.sql
@@ -20,16 +20,19 @@ BEGIN
         D.[Active],
         AR.[Id] AS [AuthRequestId],
         AR.[CreationDate] AS [AuthRequestCreationDate]
-    FROM [dbo].[DeviceView] D
+    FROM
+        [dbo].[DeviceView] D
     LEFT OUTER JOIN (
         SELECT
             [Id],
             [CreationDate],
             [RequestDeviceIdentifier],
             [Approved],
             ROW_NUMBER() OVER (PARTITION BY [RequestDeviceIdentifier] ORDER BY [CreationDate] DESC) AS rn
-        FROM [dbo].[AuthRequestView]
-        WHERE [Type] IN (0,1)  -- AuthenticateAndUnlock and Unlock types only
+        FROM
+            [dbo].[AuthRequestView]
+        WHERE
+            [Type] IN (0,1)  -- AuthenticateAndUnlock and Unlock types only
             AND [CreationDate] >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE()) -- Ensure the request hasn't expired
             AND [UserId] = @UserId -- Requests for this user only
     ) AR -- This join will get the most recent request per device, regardless of approval status
diff --git a/util/Migrator/DbScripts/2026-04-07_00_Alter_Device_ReadActiveWithPendingAuthRequestsByUserId.sql b/util/Migrator/DbScripts/2026-04-07_00_Alter_Device_ReadActiveWithPendingAuthRequestsByUserId.sql
@@ -1,8 +1,10 @@
 -- PM-34130: Replace SELECT D.* with an explicit column list.
--- Previously, Dapper mapped results by column position into a 14-parameter constructor.
--- A column addition, removal, or reorder in DeviceView would silently assign wrong values
--- with no compile or runtime error. Explicit columns enable name-based mapping via property
--- setters, eliminating the positional dependency and restoring EDD backwards compatibility.
+-- Previously, Dapper selected the 14-parameter constructor and mapped columns
+-- positionally. A column addition, removal, or reorder in DeviceView would
+-- silently assign wrong values with no compile or runtime error.
+-- DeviceAuthDetails now has a parameterless constructor, so Dapper maps by
+-- property name instead. The explicit column list documents intent and prevents
+-- unexpected columns from DeviceView leaking into the result.
 CREATE OR ALTER PROCEDURE [dbo].[Device_ReadActiveWithPendingAuthRequestsByUserId]
     @UserId UNIQUEIDENTIFIER,
     @ExpirationMinutes INT
@@ -25,16 +27,19 @@ BEGIN
         D.[Active],
         AR.[Id] AS [AuthRequestId],
         AR.[CreationDate] AS [AuthRequestCreationDate]
-    FROM [dbo].[DeviceView] D
+    FROM
+        [dbo].[DeviceView] D
     LEFT OUTER JOIN (
         SELECT
             [Id],
             [CreationDate],
             [RequestDeviceIdentifier],
             [Approved],
             ROW_NUMBER() OVER (PARTITION BY [RequestDeviceIdentifier] ORDER BY [CreationDate] DESC) AS rn
-        FROM [dbo].[AuthRequestView]
-        WHERE [Type] IN (0,1)  -- AuthenticateAndUnlock and Unlock types only
+        FROM
+            [dbo].[AuthRequestView]
+        WHERE
+            [Type] IN (0,1)  -- AuthenticateAndUnlock and Unlock types only
             AND [CreationDate] >= DATEADD(MINUTE, -@ExpirationMinutes, GETUTCDATE()) -- Ensure the request hasn't expired
             AND [UserId] = @UserId -- Requests for this user only
     ) AR -- This join will get the most recent request per device, regardless of approval status
