[PM-32424] Send Access Enumeration protection

[ike-kottlowski]

🎟️ Tracking

PM-32424

Client PR: bitwarden/clients#19422
Server PR: bitwarden/server#7166

📔 Objective

Improve enumeration protection of Sends

🚨 Breaking Changes

[github-actions]

Checkmarx One – Scan Summary & Details – ff298a38-0fa4-4582-a5c6-3d93644bb0aa

Great job! No new security vulnerabilities introduced in this pull request

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: auth/pm-32424/send-enumeration-protection (d9001d4)
Completed: 2026-03-10 15:14:58 UTC
Total Time: 247s

Client	Status	Details
typescript	❌ Breaking changes detected	TypeScript compilation failed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.31%. Comparing base (fa86d4d) to head (d9001d4).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #821      +/-   ##
==========================================
+ Coverage   82.30%   82.31%   +0.01%     
==========================================
  Files         346      346              
  Lines       41401    41434      +33     
==========================================
+ Hits        34075    34108      +33     
  Misses       7326     7326              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JaredSnider-Bitwarden]

⚠️ : request_send_access_token_invalid_request_invalid_email_error and request_send_access_token_invalid_request_invalid_otp_error are in the invalid_grant_tests module but both assert InvalidRequest responses.
They should be moved to request_send_access_token_invalid_request_tests even though they used to be invalid grant errors.

[ike-kottlowski]

cce67ae

[claude]

Claude finished @ike-kottlowski's task in 2m 30s —— View job

---

Re-Review: Approve

PR: PM-32424 Send Access Enumeration protection

Summary

Changes since last review are test-only improvements that address prior feedback: test function names were updated to better describe enumeration protection semantics (e.g., _masked_as_otp_required suffix), a new test was added for the unrecognized-email-with-EmailOtp-credential scenario, and a minor comment was corrected. No production code changed since the previous review.

Full PR Assessment

Changed files:

• crates/bitwarden-auth/src/send_access/api/token_api_error_response.rs -- Removes OtpInvalid and OtpGenerationFailed variants from SendAccessTokenInvalidGrantError, updates corresponding tests.
• crates/bitwarden-auth/src/send_access/client.rs -- Reorganizes integration tests into correct modules (invalid_request_tests vs invalid_grant_tests), adds three new tests documenting server-side enumeration protection behavior.

Security: The changes correctly implement enumeration protection by removing specific OTP error variants from the SDK. The server now returns a generic email_and_otp_required (InvalidRequest) response for invalid OTP, unrecognized email, and missing credentials scenarios, preventing email enumeration. The #[serde(other)] Unknown fallback ensures forward compatibility with future server error types.

Breaking changes: Removing OtpInvalid and OtpGenerationFailed from SendAccessTokenInvalidGrantError is a breaking change, confirmed by the automated TypeScript compatibility check. This is intentional and coordinated with the paired client PR.

No issues found.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[JaredSnider-Bitwarden]

LGTM!