chore: dotnet format

test: updating tests to match new approach.

src/Identity/IdentityServer/RequestValidators/SendAccess/SendEmailOtpRequestValidator.cs

@@ -32,17 +32,21 @@ public class SendEmailOtpRequestValidator(
         // get email
         var email = request.Get(SendAccessConstants.TokenRequest.Email);
 
-        /*
-         * It is an invalid request if the email is missing or is not in the list of emails in the EmailOtp array.
-         * This is somewhat contradictory to our process here where a poor shape means invalid_request and invalid
-         * data is invalid_grant.
-         * In this case the shape is correct but the data is invalid but to protect against enumeration we treat missing
-         * or incorrect emails as invalid requests. The response for a request with a correct email which needs an OTP and a request
-         * that has an invalid email need to be the same otherwise an attacker can enumerate until a valid email is found.
-        */
-        if (string.IsNullOrEmpty(email) || !authMethod.Emails.Contains(email))
+        // It is an invalid request if the email is missing.
+        if (string.IsNullOrEmpty(email))
+        {
+            // Request is the wrong shape and doesn't contain an email field.'
+            return BuildErrorResult(SendAccessConstants.EmailOtpValidatorResults.EmailRequired);
+        }
+        /*
+         * This is somewhat contradictory to our process where a poor shape means invalid_request and invalid
+         * data is invalid_grant.
+         * In this case the shape is correct and the data is invalid but to protect against enumeration we treat incorrect emails
+         * as invalid requests. The response for a request with a correct email which needs an OTP and a request
+         * that has an invalid email need to be the same otherwise an attacker could enumerate until a valid email is found.
+        */
+        if (!authMethod.Emails.Contains(email))
         {
-            // Request is the wrong shape and doesn't contain an email field.
             return BuildErrorResult(SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired);
         }
 

src/Identity/IdentityServer/RequestValidators/SendAccess/SendNeverAuthenticateRequestValidator.cs

@@ -37,7 +37,9 @@ public class SendNeverAuthenticateRequestValidator(GlobalSettings globalSettings
                 errorType = SendAccessConstants.SendIdGuidValidatorResults.InvalidSendId;
                 break;
             case SendAccessConstants.EnumerationProtection.Email:
-                errorType = SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired;
+                var hasEmail = request.Get(SendAccessConstants.TokenRequest.Email) is not null;
+                errorType = hasEmail ? SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired
+                    : SendAccessConstants.EmailOtpValidatorResults.EmailRequired;
                 break;
             case SendAccessConstants.EnumerationProtection.Password:
                 var hasPassword = request.Get(SendAccessConstants.TokenRequest.ClientB64HashedPassword) is not null;
@@ -63,6 +65,7 @@ public class SendNeverAuthenticateRequestValidator(GlobalSettings globalSettings
             SendAccessConstants.PasswordValidatorResults.RequestPasswordIsRequired => TokenRequestErrors.InvalidGrant,
             SendAccessConstants.PasswordValidatorResults.RequestPasswordDoesNotMatch => TokenRequestErrors.InvalidRequest,
             SendAccessConstants.EmailOtpValidatorResults.EmailAndOtpRequired => TokenRequestErrors.InvalidRequest,
+            SendAccessConstants.EmailOtpValidatorResults.EmailRequired => TokenRequestErrors.InvalidRequest,
             _ => TokenRequestErrors.InvalidGrant
         };