From 3d714a016f870d89c472c9ac331d73ca57030aa9 Mon Sep 17 00:00:00 2001
From: James Gunn <james@gunn.io>
Date: Wed, 20 Sep 2023 13:47:35 +0100
Subject: [PATCH] Don't send TrnLookupStatus claim without TRN (#724)

---
 .../src/TeacherIdentity.AuthServer/UserClaimHelper.cs       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dotnet-authserver/src/TeacherIdentity.AuthServer/UserClaimHelper.cs b/dotnet-authserver/src/TeacherIdentity.AuthServer/UserClaimHelper.cs
index 3ec6a9c55..ac02ba443 100644
--- a/dotnet-authserver/src/TeacherIdentity.AuthServer/UserClaimHelper.cs
+++ b/dotnet-authserver/src/TeacherIdentity.AuthServer/UserClaimHelper.cs
@@ -91,9 +91,6 @@ public async Task<IReadOnlyCollection<Claim>> GetPublicClaims(Guid userId, TrnMa
 
         if (trnMatchPolicy is not null)
         {
-            Debug.Assert(user.TrnLookupStatus.HasValue);
-            claims.Add(new Claim(CustomClaims.TrnLookupStatus, user.TrnLookupStatus!.Value.ToString()));
-
             var haveSufficientTrnMatch = user.Trn is not null &&
                 (trnMatchPolicy == TrnMatchPolicy.Default ||
                 user.TrnVerificationLevel == TrnVerificationLevel.Medium ||
@@ -102,7 +99,10 @@ public async Task<IReadOnlyCollection<Claim>> GetPublicClaims(Guid userId, TrnMa
 
             if (haveSufficientTrnMatch)
             {
+                Debug.Assert(user.Trn is not null);
+                Debug.Assert(user.TrnLookupStatus.HasValue);
                 claims.Add(new Claim(CustomClaims.Trn, user.Trn!));
+                claims.Add(new Claim(CustomClaims.TrnLookupStatus, user.TrnLookupStatus!.Value.ToString()));
 
                 if (trnMatchPolicy == TrnMatchPolicy.Strict)
                 {