dani-garcia
commented
1 week ago - Previously we weren't setting the response date anywhere, it doesn't seem used but might as well return it just in case.
- If an authentication request was approved already, we don't allow to do it again. This is to match with what Bitwarden is doing, though I don't think there's a way to actually do it or exploit it somehow.
- Added an explicit time limit for the auth requests, previously we relied on our scheduled job to clean them up, and a user could technically disable that.