Fix duplicate AuthRequestResponse notification on approving device

When approving a login-with-device request, `nt.send_auth_response()`
broadcasts an AuthRequestResponse (type 16) through the authenticated
WebSocket hub to all user devices, including the approving device
itself. This causes a duplicate notification on Android.

The official Bitwarden server only sends AuthRequestResponse through
the anonymous hub (keyed by auth_request_id), which correctly reaches
only the requesting device. The authenticated hub is not used for this
notification type.

Remove the authenticated WebSocket broadcast from send_auth_response,
keeping only the push relay call as a fallback for devices not connected
via WebSocket. The anonymous hub (ant.send_auth_response) already
handles WebSocket delivery to the requesting device.

Fixes #6788

src/api/notifications.rs

@@ -515,15 +515,11 @@ impl WebSocketUsers {
         if *NOTIFICATIONS_DISABLED {
             return;
         }
-        let data = create_update(
+        // AuthRequestResponse should not be sent through the authenticated WebSocket hub,
-            vec![("Id".into(), auth_request_id.to_string().into()), ("UserId".into(), user_id.to_string().into())],
+        // as that broadcasts to all user devices including the approving device, causing
-            UpdateType::AuthRequestResponse,
+        // a duplicate notification. The anonymous hub already delivers the response to the
-            Some(device.uuid.clone()),
+        // requesting device. Only the push relay is needed here as a fallback for devices
-        );
+        // not connected via WebSocket.
-        if CONFIG.enable_websocket() {
-            self.send_update(user_id, &data).await;
-        }
-
         if CONFIG.push_enabled() {
             push_auth_response(user_id, auth_request_id, device, conn).await;
         }