fix: address feedback on PR

Author: ike-kottlowski

src/Core/Utilities/EnumerationProtectionHelpers.cs

@@ -5,14 +5,14 @@ namespace Bit.Core.Utilities;
 public static class EnumerationProtectionHelpers
 {
     /// <summary>
-    /// Use this method to get a consistent int result based on the salt that is in the range.
-    /// The same salt will always return the same index result based on range input.
+    /// Use this method to get a consistent int result based on the inputString that is in the range.
+    /// The same inputString will always return the same index result based on range input.
     /// </summary>
     /// <param name="hmacKey">Key used to derive the HMAC hash. Use a different key for each usage for optimal security</param>
-    /// <param name="salt">The string to derive an index result</param>
+    /// <param name="inputString">The string to derive an index result</param>
     /// <param name="range">The range of possible index values</param>
-    /// <returns>An int between 0 and range</returns>
-    public static int GetIndexForSaltHash(byte[] hmacKey, string salt, int range)
+    /// <returns>An int between 0 and range - 1</returns>
+    public static int GetIndexForSaltHash(byte[] hmacKey, string inputString, int range)
     {
         if (hmacKey == null || range <= 0 || hmacKey.Length == 0)
         {
@@ -21,7 +21,7 @@ public static int GetIndexForSaltHash(byte[] hmacKey, string salt, int range)
         else
         {
             // Compute the HMAC hash of the salt
-            var hmacMessage = Encoding.UTF8.GetBytes(salt.Trim().ToLowerInvariant());
+            var hmacMessage = Encoding.UTF8.GetBytes(inputString.Trim().ToLowerInvariant());
             using var hmac = new System.Security.Cryptography.HMACSHA256(hmacKey);
             var hmacHash = hmac.ComputeHash(hmacMessage);
             // Convert the hash to a number

src/Identity/IdentityServer/RequestValidators/SendAccess/SendAccessConstants.cs

@@ -37,27 +37,27 @@ public static class TokenRequest
     public static class GrantValidatorResults
     {
         /// <summary>
-        /// The sendId is valid and the request is well formed. Not returned in any response.
+        /// The <see cref="TokenRequest.SendId"/> in the request is a valid GUID and the request is well formed. Not returned in any response.
         /// </summary>
-        public const string ValidGuid = "valid_send_guid";
+        public const string ValidSendGuid = "valid_send_guid";
         /// <summary>
-        /// The sendId is missing from the request.
+        /// The <see cref="TokenRequest.SendId"/> is missing from the request.
         /// </summary>
         public const string SendIdRequired = "send_id_required";
         /// <summary>
-        /// The sendId is invalid, does not match a known send.
+        /// The <see cref="TokenRequest.SendId"/> is invalid, does not match a known send.
         /// </summary>
         public const string InvalidSendId = "send_id_invalid";
     }
 
     public static class PasswordValidatorResults
     {
         /// <summary>
-        /// The passwordHashB64 does not match the send's password hash.
+        /// The <see cref="TokenRequest.ClientB64HashedPassword"/> does not match the send's password hash.
         /// </summary>
         public const string RequestPasswordDoesNotMatch = "password_hash_b64_invalid";
         /// <summary>
-        /// The passwordHashB64 is missing from the request.
+        /// The <see cref="TokenRequest.ClientB64HashedPassword"/> is missing from the request.
         /// </summary>
         public const string RequestPasswordIsRequired = "password_hash_b64_required";
     }

src/Identity/IdentityServer/RequestValidators/SendAccess/SendNeverAuthenticateRequestValidator.cs

@@ -7,6 +7,12 @@
 
 namespace Bit.Identity.IdentityServer.RequestValidators.SendAccess;
 
+/// <summary>
+/// This class is used to protect our system from enumeration attacks. This Validator will always return an error result.
+/// We hash the SendId Guid passed into the request to select the an error from the list of possible errors. This ensures
+/// that the same error is always returned for the same SendId.
+/// </summary>
+/// <param name="globalSettings">We need access to a hash key to generate the error index.</param>
 public class SendNeverAuthenticateRequestValidator(GlobalSettings globalSettings) : ISendAuthenticationMethodValidator<NeverAuthenticate>
 {
     private readonly string[] _errorOptions =