Error modal when signin from expired magic link

[cristipaval]

Details

!!! Web only on macos and mobile web Safari on iPhone and Chrome on Android

Fixed Issues

$ #15331

Tests

Sign in process initiated in another tab, on the same browser:

1. Start sign in for an account with 2fa disabled
2. Open the magic link in another tab and verify that you see the Abracadabra page
3. Sign out and start sign in for an account with 2fa enabled
4. Open the magic link in another tab and verify that you see the 2fa required page. Don't close this tab and go back to the initial one
5. Enter the 2fa code and go back to the tab where the magic link has been accessed. Verify that you see the Abracadabra page
6. Sign out and start sign in again with an account
7. Open the magic link in another tab, BUT modify it to have a wrong code
8. Verify that you see the Expired code page. Tab on Resend code option and then click on the new magic link
9. Verify that you see the Abracadabra page

Sign in process initiated on another device

1. Hardcode Permissions.js to always return true in canUsePasswordlessLogins function, here
2. Start sign in on deviceA for an account with 2fa disabled
3. Make sure that deviceB is signed out and open the magic link on it
4. Verify that you see the modal with the magic code and the option to sign in in that tab
5. Tap on Just sign in here option and verify that you are successfully signed in
6. Repeat steps 2-4 for an account with 2fa enabled
7. Tap on Just sign in here option and verify that you are successfully redirected to add 2fa code
8. Start sign in on deviceA for any account
9. Make sure that deviceB is signed out and open the magic link, BUT with the code modified to be wrong
10. Make sure that you see the page saying that the magic code has expired. No option to request a new code should be present.

• Verify that no errors appear in the JS console

Offline tests

N/A

QA Steps

Same steps from Tests, but only the section with the sign in initiated in the same browser.

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android / native
  • Android / Chrome
  • iOS / native
  • iOS / Safari
  • MacOS / Chrome / Safari
  • MacOS / Desktop
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I verified the translation was requested/reviewed in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is correct English and approved by marketing by adding the Waiting for Copy label for a copy review on the original GH to get the correct copy.
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.js or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If a new component is created I verified that:
  • A similar component doesn't exist in the codebase
  • All props are defined accurately and each prop has a /** comment above it */
  • The file is named correctly
  • The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
  • The only data being stored in the state is data necessary for rendering and nothing else
  • For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
  • Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
  • All JSX used for rendering exists in the render method
  • The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(themeColors.componentBG)
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
• I have checked off every checkbox in the PR author checklist, including those that don't apply to this PR.

Screenshots/Videos

Web

Sign in initiated on the same browser

web.mov

Sign in process initiated on another device

web.mov

Mobile Web - Chrome

Sign in initiated on the same browser

android.mov

Sign in process initiated on another device

android.mov

Mobile Web - Safari

Sign in initiated on the same browser

ios.mov

Sign in process initiated on another device

ios.mov

Desktop

N/A

iOS

N/A

Android

N/A

[Santhosh-Sellavel]

@cristipaval

Hardcode Permissions.js to always return true in canUsePasswordlessLogins function, here

Why should we do this?

Should we do this even when the user is on PasswordLess Beta?

What about this @cristipaval ?

[cristipaval]

@cristipaval

Hardcode Permissions.js to always return true in canUsePasswordlessLogins function, here

Why should we do this?

Should we do this even when the user is on PasswordLess Beta?

Yes, this is needed even when the user is in the passwordless list. This is necessary for the flows when the user has initiated the signin process on another device, so the current device/client has no data about the user to check if the passwordless beta is enabled for his account. This will work as expected when the passwordless will be fully rolled out to production and it won't be hidden behind the beta flag anymore.

[Santhosh-Sellavel]

@cristipaval As of now passwordless is under beta, will the feature added here work as expected (at least for users on beta list)once this PR is deployed?

[cristipaval]

@cristipaval As of now passwordless is under beta, will it work as expected (at least for users on betas=)once this PR is deployed?

For the flows where the user has initiated the sign in process on another device/browser client, it won't work as expected for now. But this is a known issue that we discussed internally about. Linking here a Slack discussion for reference if someone will come back to this. I think you don't have permissions to access that discussion.

[Santhosh-Sellavel]

Alright then, thanks!

[Santhosh-Sellavel]

LGTM, Tests well ready for you @roryabraham and @youssef-lr

[youssef-lr]

Reviewing and testing now.

[youssef-lr]

NAB but I think we can simplify this part as getLatestErrorMessage already checks for keys and if it's empty it will return an empty string which should evaluate to false. no?

    render() {
        const codeRequestedMessage = lodashGet(this.props, 'account.message', null);
        const codeRequestedErrors = ErrorUtils.getLatestErrorMessage(this.props.account);

        return (
            ...
        )

[roryabraham]

There's a fair amount of duplicate code here so I would prefer if we created a reusable, generic component that can be shared between the various pages, but otherwise seems fine

[roryabraham]

NAB but this should be a functional component w/ memo, which is typically what we do for components that don't have state or use lifecycle methods.

[roryabraham]

This file is almost exactly the same as TfaRequiredModal, and has only minimal differences with the other two components in this directory. I think it would be valuable to DRY these up by creating a ValidateCodeModalLayout component, and use it in the other components you've created here.

[cristipaval]

hey @roryabraham ! Thanks for the review! I do agree that we can dry up the code here. I spent a lot of time on this PR due to that challenge that I was facing (componentDidMount being called twice). I created components for each state just to simplify the code in VaidateLoginPage. But now it looks like I ended up having duplicate code. Now that I solved the aforementioned challenge, I totally do agree I can reuse the same component for multiple states. I created this follow-up issue for your suggested refactor.

[OSBotify]

✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release.

[OSBotify]

🚀 Deployed to staging by https://github.com/cristipaval in version: 1.2.89-0 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅

[OSBotify]

🚀 Deployed to production by https://github.com/luacmartins in version: 1.2.89-0 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅

[cristipaval]

This PR introduced a regression: #17091

[mananjadhav]

I am tagging this PR to highlight an issue fixed here. All conditions in ternary expressions or left-hand operands on conditional renders, should be boolean. This PR is one of the PRs that uses conditional render with string operands, hence I am tagging it here for the contributors to check.

We've also updated the item in the checklist with this PR to avoid this issue in the future.

[rayane-djouah]

This caused this bug: #41772. More details are here: #41772 (comment). TL;DR We should also use credentials.login in this condition to show AbracadabraModal only for a session that initiated sign-in.