[PM-26376] Emergency Access Delete Command

[ike-kottlowski]

🎟️ Tracking

PM-26376

📔 Objective

On our path to accomplishing the CQRS ADR we are taking a pit stop at the Emergency Access feature. This work is to enable the Admin Console team to enforce an Organization policy that will un-enroll users from the emergency access feature.

I have added a simple DeleteManyById stored procedure that batches, if need be, the records for deletion.

Things to note:

1. When removing by GranteeId we loop over the grantor emails sending one at a time, so we don't accidently cc all the grantors for a given grantee.
2. I enabled nullable for classes that felt like low hanging fruit, which is why other teams are tagged.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @ike-kottlowski's task in 2m 55s —— View job

---

Code Review: Approved

PR: PM-26376 Emergency Access Delete Command

This PR implements a delete command for Emergency Access records following the CQRS pattern, enabling organization policy enforcement for un-enrolling users from the emergency access feature.

Summary

The implementation is well-structured with appropriate separation of concerns:

• New DeleteEmergencyAccessCommand handles deletion by ID/grantorId, by grantorId (all), and by granteeId (all)
• Batch deletion via stored procedure EmergencyAccess_DeleteManyById
• Individual email notifications per grantor (avoiding email exposure between users)
• Account revision date bumping for confirmed grantees only

Changes Reviewed

Area	Assessment
Security	No issues - email privacy handled correctly with individual notifications
Correctness	Logic is sound, revision dates properly scoped to confirmed grantees
Test Coverage	Comprehensive unit tests and integration tests covering all scenarios
Breaking Changes	None - new functionality only
Performance	Batch deletion with appropriate batch size (100)

Previously Raised Issues - All Addressed

• Email privacy exposure (multiple grantors CC'd) - Fixed with individual emails
• Missing test coverage for DeleteAllByGranteeIdAsync - Tests added
• Account revision date bump - Implemented for confirmed grantees in both SQL and EF
• Double semicolon and unnecessary null checks - Cleaned up

Code Quality Highlights

1. Proper revision date handling: Only confirmed grantees get their AccountRevisionDate bumped, as validated by the integration test
2. Privacy-conscious email design: Separate emails sent to each grantor when deleting by grantee ID
3. Nullable reference type cleanup: Removed #nullable disable from several files as part of the change

No new issues identified. LGTM!

---

Automated code review by Claude

[codecov]

Codecov Report

❌ Patch coverage is 91.75258% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.06%. Comparing base (93a28ee) to head (43ea1a0).

Files with missing lines	Patch %	Lines
src/Core/Auth/Models/Data/EmergencyAccessNotify.cs	0.00%	3 Missing ⚠️
src/Core/Platform/Mail/HandlebarsMailService.cs	0.00%	3 Missing ⚠️
...ncyAccess/Commands/DeleteEmergencyAccessCommand.cs	96.36%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6857      +/-   ##
==========================================
+ Coverage   56.08%   60.06%   +3.97%     
==========================================
  Files        1971     1972       +1     
  Lines       87090    87174      +84     
  Branches     7759     7766       +7     
==========================================
+ Hits        48841    52357    +3516     
+ Misses      36441    32920    -3521     
- Partials     1808     1897      +89     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – d130c2bc-ac0b-438a-b98f-3693520814ea

New Issues (2)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 291	details Method at line 291 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
2		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Tools/Controllers/SendsController.cs: 68

[mkincaid-bw]

❓ Does the account revision date need to be bumped after the deletes? Some of our other "DeleteMany" procs do a revision bump and some don't..

[ike-kottlowski]

bdfac87

[Patrick-Pimentel-Bitwarden]

⛏️ Double semicolon

[ike-kottlowski]

81422f3

[Patrick-Pimentel-Bitwarden]

⛏️ Unnecessary null check. You have a test to make sure that no results comes back as an empty list anywho, emergencyAccessDetails can't ever be null. There are 2 places in this file this check is done and can be removed.

[ike-kottlowski]

81422f3

[Patrick-Pimentel-Bitwarden]

Couple of small nitpicks, nothing blocking 👍

[quexten]

KM LGTM

[ike-kottlowski]

Converting to draft to handle bumping User Revision date and addressing other feedback.