[HOLD for payment 2023-09-15] [$1000] Adding any invalid text/string as contact method through URL #24521
Comments
m-natarajan
added
Daily
|
Triggered auto assignment to @joekaufmanexpensify ( |
Bug0 Triage Checklist (Main S/O)
|
Here is my proposal as original reporter: I posted it in slack when I reported the bug:ProposalPlease re-state the problem that we are trying to solve in this issue.Send magic code to any possible string/number as contact method through URL. Changing the URL for ContactMethodDetailsPage will allow us to see the magic code sent page, and clicking quickly on Did not receive a magic code will allow us to stay in it. What is the root cause of that problem?First, I had to compare it the normal flow of adding a new contact method. We first access it through settings/profile/contact-methods which allow us to add a new contact method with validation present here:
After adding a new contact method to our login list, we can clearly see that we have added a new login to the user loginList in ONYX.LOGIN_LIST through merging, and this one before validating the magic code:
After validation, we can clearly see another request has been sent, which shows that our new login is validated in the loginList
Now, this allow us to conclude: This whole process is done through: Adding any text as contact method in the URL means that either no validation is present within the component itself, or validation is not fully covered. I started first investigating the data returned through ONYX in the main component ContactMethodDetailsPage: App/src/pages/settings/Profile/Contacts/ContactMethodDetailsPage.js Lines 306 to 325 in 4230f28 As you can see, we are getting loginList, and what I found is the validation is indeed present: App/src/pages/settings/Profile/Contacts/ContactMethodDetailsPage.js Lines 212 to 216 in 4230f28 We are checking here if we do have the email entered in the URL among the list of contact methods => We basically check here if the first step of adding a new contact method has been followed! This is a right approach to check and it should return the page not found. However, this doesn't happen only after a few seconds, which means that we have something updating preventing us from rendering within this condition.
This is the intended behavior, and it shows only the ones that were added correctly through the normal flow.
Indeed it has been merged, and it also shows a useful information that it not validated, so we can use this information later to fix the bug as well among the options. App/src/pages/settings/Profile/Contacts/ContactMethodDetailsPage.js Lines 110 to 112 in 4230f28 If we check User.resetContactMethodValidateCodeSentState(): Lines 266 to 272 in 4230f28 We find exactly the same data merged a second after we have added the new contact method into the URL. Which means that the root cause here is the following: We are sending here this.getContactMethod() and directly we merge it into our data without having any form of validation within the mount function. This triggers the loginList to also include the invalid contact method and bypasses the checks we have here as the contact method indeed present. App/src/pages/settings/Profile/Contacts/ContactMethodDetailsPage.js Lines 212 to 214 in 4230f28 The solution to this issue is to add validation in one of the functions and not merge the ONYX data until we know that it is indeed a valid input and followed the correct flow. What changes do you think we should make in order to solve the problem?As we are concerned now about validating the login list and it is not fully covering the contact methods, I propose different options: Option 1We can simply modify the ComponentDidMount() to include the check for the this.getContactMethod() and not directly sending it to the other function. This can be done through changing: App/src/pages/settings/Profile/Contacts/ContactMethodDetailsPage.js Lines 110 to 112 in 4230f28 To: Option 2We can fix the resetContactMethodValidateCodeSentState in User.js. We can see that no validation is present to the contact method so we have here two flows we can approach: Option 2.1We can first have validation in the getContactMethod() component: App/src/pages/settings/Profile/Contacts/ContactMethodDetailsPage.js Lines 129 to 131 in 4230f28 To: Then we will add a simple check to Lines 266 to 272 in 4230f28 By changing it to: Option 2.2We can check the function itself: ResultScreencast.from.05.2023.+01.04.49.30.webm |
|
Reproduced. I kind of wonder whether we should be including the specific contact method as part of the URL at all? It doesn't seem realistic that an actual user would ever need to deep link to this specific page. And if we removed deep linking to a specific contact method, that would largely obviate this issue. |
joekaufmanexpensify
added
the
External
melvin-bot
bot
changed the title
|
Job added to Upwork: https://www.upwork.com/jobs/~013d8b6c25b7efa6cc |
melvin-bot
bot
added
the
Help Wanted
|
Current assignee @joekaufmanexpensify is eligible for the External assigner, not assigning anyone new. |
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @eVoloshchak ( |
ProposalPlease re-state the problem that we are trying to solve in this issue.Hardcoding contact method details URL with a non existent contact method shows magic code verification for a brief amount of time before showing not found page. What is the root cause of that problem?The root cause of this problem is on An existent contact method object will have a bunch of properties when created, one of them being On the above code section, we are only checking if the This of course is not the correct check to do to determine if the contact method is found, which leads to showing the Magic Code validation page later on the code, which we show when that condition is true: What changes do you think we should make in order to solve the problem?On lines 212-215 , we should add a check for Screen.Recording.2023-08-15.at.4.36.53.AM.mov |
|
Proposals pending review. |
|
@eVoloshchak Mind taking a look at the proposal here when you have a chance? |
|
Proposals still pending review |
Please re-state the problem that we are trying to solve in this issue.Adding any invalid text/string as a contact method through URL. It goes to the magic code validation tab but it should immediately says PageNotFound and not preview Contact Validation What is the root cause of that problem?When we go through the URL using an invalid string, initially it will be rendered the component and check for validation on below file: What changes do you think we should make in order to solve the problem?To solve this issue you need to wrap up the complete component in below mentioned condition on Video |
@joekaufmanexpensify, there are legitimate use cases in theory. For example, if you want to open the current page (in this case details for a contact method) in a different browser (we do it all the time when testing PRs). Of course, this is an edge case (there are no other pages like this as far as I know) and even if we remove the deep linking, it will only add one extra click in this specific scenario, but I think we might want to fix this, even the rare cases are possible |
|
@makiour, wow, thank you for such a thorough explanation! App/src/pages/settings/Profile/Contacts/ContactMethodDetailsPage.js Lines 110 to 112 in 4230f28 to componentDidMount() {
const contactMethod = this.getContactMethod();
const loginData = this.props.loginList[contactMethod];
if (loginData) {
User.resetContactMethodValidateCodeSentState(contactMethod);
}
}I think we should also set 🎀👀🎀 C+ reviewed! |
|
Triggered auto assignment to @AndrewGable, see https://stackoverflow.com/c/expensify/questions/7972 for more details. |
|
Pending internal engineering sign off |
|
📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸 |
|
@AndrewGable mind taking a look at this proposal when you have a sec? TY! |
|
Bumped Andrew 1:1 |
|
Based on my calculations, the pull request did not get merged within 3 working days of assignment. Please, check out my computations here:
On to the next one 🚀 |
|
I just want you to take into consideration my particular situation: I have got an LGTM from @eVoloshchak within the three days timeline. However, @AndrewGable was OOO, and he reviewed the PR right after he is back and managed to merge the PR! This is why it seems that the days elapsed are 9! Thank you so much and happy to collaborate with you guys! |
melvin-bot
bot
added
Weekly
melvin-bot
bot
changed the title
|
|
|
The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.65-7 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue: If no regressions arise, payment will be issued on 2023-09-15. 🎊 After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.
For reference, here are some details about the assignees on this issue:
As a reminder, here are the bonuses/penalties that should be applied for any External issue:
|
|
BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:
|
|
@eVoloshchak mind completing the BZ checklist so we can prep to issue payment? |
@joekaufmanexpensify replying here if you missed my comment! |
|
Thanks for bumping! I'll review, and we'll definitely take any internal delays into account when calculating whether a bonus is warranted. |
|
Thank you so much @joekaufmanexpensify! Appreciate it! |
|
Bumped BZ checklist in Slack so we can prep to issue payment soon. |
|
|
Regression Test Proposal
Do we agree 👍 or 👎 |
|
Great, ty! I'll finish up the checklist so we can issue payment asap. |
|
Checklist is all set! |
|
We discussed this here and confirmed this qualifies for a speed bonus. This means we need to issue the following payments:
|
|
@eVoloshchak could you please request $1,500 via NewDot and confirm here once complete? |
|
@makiour I sent your $1,750 in two payments, since you had two roles for this one. |
|
@joekaufmanexpensify, requested the payment! |
|
Awesome, ty! @eVoloshchak closing this out for now. If your request hasn't been paid in 7 days LMK, and I'll look into it on my end. |
|
Payment summary message is here. |
|
$1,500 payment for @eVoloshchak approved based on BZ summary. |
If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!
Action Performed:
https://staging.new.expensify.com/settings/profile/contact-methods/HERE/details
For example:
Expected Result:
It should immediately says PageNotFound and not preview Contact Validation with Magic Code sent
Actual Result:
It shows validation page with magic code and you can stay in it if you click on resend code
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Version Number: 1.3.53-1
Reproducible in staging?: yes
Reproducible in production?: yes
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation
Recording.2394.mp4
Expensify/Expensify Issue URL:
Issue reported by: @makiour
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1691207772114549
View all open jobs on GitHub
Upwork Automation - Do Not Edit
The text was updated successfully, but these errors were encountered: