[PM-21281] Email TOTP sent twice when user only has Email MFA enabled (#5782)

* fix: addressed bug where email token is sent twice,

* test: updating tests to have correct DI and removing test for automatic email of TOTP.

Author: ike-kottlowski

src/Core/Auth/Models/Business/Tokenables/SsoEmail2faSessionTokenable.cs

@@ -4,9 +4,10 @@
 
 namespace Bit.Core.Auth.Models.Business.Tokenables;
 
-// This token just provides a verifiable authN mechanism for the API service
-// TwoFactorController.cs SendEmailLogin anonymous endpoint so it cannot be
-// used maliciously.
+/// <summary>
+/// This token provides a verifiable authN mechanism for the TwoFactorController.SendEmailLoginAsync
+/// anonymous endpoint so it cannot used maliciously.
+/// </summary>
 public class SsoEmail2faSessionTokenable : ExpiringTokenable
 {
     // Just over 2 min expiration (client expires session after 2 min)

src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs

@@ -91,7 +91,10 @@ public async Task<Dictionary<string, object>> BuildTwoFactorResultAsync(User use
             { "TwoFactorProviders2", providers },
         };
 
-        // If we have email as a 2FA provider, we might need an SsoEmail2fa Session Token
+        // If we have an Email 2FA provider we need this session token so SSO users
+        // can re-request an email TOTP. The TwoFactorController.SendEmailLoginAsync
+        // endpoint requires a way to authenticate the user before sending another email with
+        // a TOTP, this token acts as the authentication mechanism.
         if (enabledProviders.Any(p => p.Key == TwoFactorProviderType.Email))
         {
             twoFactorResultDict.Add("SsoEmail2faSessionToken",
@@ -100,12 +103,6 @@ public async Task<Dictionary<string, object>> BuildTwoFactorResultAsync(User use
             twoFactorResultDict.Add("Email", user.Email);
         }
 
-        if (enabledProviders.Count == 1 && enabledProviders.First().Key == TwoFactorProviderType.Email)
-        {
-            // Send email now if this is their only 2FA method
-            await _userService.SendTwoFactorEmailAsync(user);
-        }
-
         return twoFactorResultDict;
     }
 

test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs

@@ -252,9 +252,9 @@ public async void BuildTwoFactorResultAsync_IndividualProviders_ReturnsNotNull(
 
     [Theory]
     [BitAutoData(TwoFactorProviderType.Email)]
-    public async void BuildTwoFactorResultAsync_IndividualEmailProvider_SendsEmail_SetsSsoToken_ReturnsNotNull(
-        TwoFactorProviderType providerType,
-        User user)
+    public async void BuildTwoFactorResultAsync_SetsSsoToken_ReturnsNotNull(
+    TwoFactorProviderType providerType,
+    User user)
     {
         // Arrange
         var providerTypeInt = (int)providerType;
@@ -276,8 +276,6 @@ public async void BuildTwoFactorResultAsync_IndividualEmailProvider_SendsEmail_S
         Assert.True(providers.ContainsKey(providerTypeInt.ToString()));
         Assert.True(result.ContainsKey("SsoEmail2faSessionToken"));
         Assert.True(result.ContainsKey("Email"));
-
-        await _userService.Received(1).SendTwoFactorEmailAsync(Arg.Any<User>());
     }
 
     [Theory]