[PM-30563] Change error response on Send Access token request (#6911)

* feat: remove invalid email response and instead return email and OTP required to protect against enumeration attacks.

* fix: fixing tests and dotnet format

test/Identity.IntegrationTest/RequestValidation/SendAccess/SendEmailOtpReqestValidatorIntegrationTests.cs

@@ -85,7 +85,7 @@ public class SendEmailOtpRequestValidatorIntegrationTests(IdentityApplicationFac
         // Assert
         var content = await response.Content.ReadAsStringAsync();
         Assert.Contains(OidcConstants.TokenErrors.InvalidRequest, content);
-        Assert.Contains("email otp sent", content);
+        Assert.Contains("email and otp are required", content);
     }
 
     [Fact]

test/Identity.IntegrationTest/RequestValidation/SendAccess/SendNeverAuthenticateRequestValidatorTest.cs

@@ -63,7 +63,7 @@ public class SendNeverAuthenticateRequestValidatorIntegrationTests(
     }
 
     [Fact]
-    public async Task SendAccess_NeverAuthenticateSend_WithEmail_ReturnsEmailInvalid()
+    public async Task SendAccess_NeverAuthenticateSend_WithEmail_ReturnsEmailAndOtpRequired()
     {
         // Arrange
         var email = "test@example.com";
@@ -77,10 +77,10 @@ public class SendNeverAuthenticateRequestValidatorIntegrationTests(
         var content = await response.Content.ReadAsStringAsync();
 
         // should be invalid grant
-        Assert.Contains(OidcConstants.TokenErrors.InvalidGrant, content);
+        Assert.Contains(OidcConstants.TokenErrors.InvalidRequest, content);
 
         // Try to compel the invalid email error
-        var expectedError = SendAccessConstants.EmailOtpValidatorResults.EmailInvalid;
+        var expectedError = SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired;
         Assert.Contains(expectedError, content);
     }
 

test/Identity.Test/IdentityServer/SendAccess/SendConstantsSnapshotTests.cs

@@ -48,9 +48,8 @@ public class SendConstantsSnapshotTests
     public void EmailOtpValidatorResults_Constants_HaveCorrectValues()
     {
         // Assert
-        Assert.Equal("email_invalid", SendAccessConstants.EmailOtpValidatorResults.EmailInvalid);
         Assert.Equal("email_required", SendAccessConstants.EmailOtpValidatorResults.EmailRequired);
-        Assert.Equal("email_and_otp_required_otp_sent", SendAccessConstants.EmailOtpValidatorResults.EmailOtpSent);
+        Assert.Equal("email_and_otp_required", SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired);
         Assert.Equal("otp_invalid", SendAccessConstants.EmailOtpValidatorResults.EmailOtpInvalid);
         Assert.Equal("otp_generation_failed", SendAccessConstants.EmailOtpValidatorResults.OtpGenerationFailed);
     }

test/Identity.Test/IdentityServer/SendAccess/SendEmailOtpRequestValidatorTests.cs

@@ -68,8 +68,8 @@ public class SendEmailOtpRequestValidatorTests
 
         // Assert
         Assert.True(result.IsError);
-        Assert.Equal(OidcConstants.TokenErrors.InvalidGrant, result.Error);
-        Assert.Equal("email is invalid.", result.ErrorDescription);
+        Assert.Equal(OidcConstants.TokenErrors.InvalidRequest, result.Error);
+        Assert.Equal("email and otp are required.", result.ErrorDescription);
 
         // Verify no OTP generation or email sending occurred
         await sutProvider.GetDependency<IOtpTokenProvider<DefaultOtpTokenProviderOptions>>()
@@ -115,7 +115,7 @@ public class SendEmailOtpRequestValidatorTests
         // Assert
         Assert.True(result.IsError);
         Assert.Equal(OidcConstants.TokenErrors.InvalidRequest, result.Error);
-        Assert.Equal("email otp sent.", result.ErrorDescription);
+        Assert.Equal("email and otp are required.", result.ErrorDescription);
 
         // Verify OTP generation
         await sutProvider.GetDependency<IOtpTokenProvider<DefaultOtpTokenProviderOptions>>()

test/Identity.Test/IdentityServer/SendAccess/SendNeverAuthenticateValidatorTests.cs

@@ -51,7 +51,7 @@ public class SendNeverAuthenticateRequestValidatorTests
     }
 
     [Theory, BitAutoData]
-    public async Task ValidateRequestAsync_EmailErrorSelected_HasEmail_ReturnsEmailInvalid(
+    public async Task ValidateRequestAsync_EmailErrorSelected_HasEmail_ReturnsEmailAndOtpRequired(
         SutProvider<SendNeverAuthenticateRequestValidator> sutProvider,
         [AutoFixture.ValidatedTokenRequest] ValidatedTokenRequest tokenRequest,
         string email)
@@ -69,12 +69,12 @@ public class SendNeverAuthenticateRequestValidatorTests
 
         // Assert
         Assert.True(result.IsError);
-        Assert.Equal(OidcConstants.TokenErrors.InvalidGrant, result.Error);
-        Assert.Equal(SendAccessConstants.EmailOtpValidatorResults.EmailInvalid, result.ErrorDescription);
+        Assert.Equal(OidcConstants.TokenErrors.InvalidRequest, result.Error);
+        Assert.Equal(SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired, result.ErrorDescription);
 
         var customResponse = result.CustomResponse as Dictionary<string, object>;
         Assert.NotNull(customResponse);
-        Assert.Equal(SendAccessConstants.EmailOtpValidatorResults.EmailInvalid, customResponse[SendAccessConstants.SendAccessError]);
+        Assert.Equal(SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired, customResponse[SendAccessConstants.SendAccessError]);
     }
 
     [Theory, BitAutoData]