[HOLD for payment 2023-10-05] Report - The request money is broken for "unknown" accounts without login information

[lanitochka17]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Issue found when executing PR https://github.com/Expensify/App/pull/22188

Action Performed:

1. Log in to the Expensify App with a GMAIL account
2. Tap a user you want to chat with from the list
3. Tap the "+" icon from the composer
4. Tap "Request money"
5. Enter the amount and tap next
6. Tap the "Request" green button
7. Tap the user you made an IOU with

Expected Result:

The IOU report page should not be grayed out and the composer should not be hidden for Gmail accounts

Actual Result:

The IOU report page is grayed out and the composer is hidden for Gmail accounts

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• [x] Android / native
• [ ] Android / Chrome
• [x] iOS / native
• [ ] iOS / Safari
• [x] MacOS / Chrome / Safari
• [ ] MacOS / Desktop

Version Number: 1.3.38.3

Reproducible in staging?: Yes

Reproducible in production?: No

If this was caught during regression testing, add the test name, ID and link from TestRail:

Email or phone of affected tester (no customers):

Logs: https://stackoverflow.com/c/expensify/questions/4856

Notes/Photos/Videos: Any additional supporting documentation

https://github.com/Expensify/App/assets/78819774/50d2d64a-ea07-4a92-85c6-adc5e7422fb3

Production IOS

https://github.com/Expensify/App/assets/78819774/e6bc8e54-bfcf-4fb5-83fc-741c14efd602

Staging IOS

https://github.com/Expensify/App/assets/78819774/ec7766e8-3913-4247-804e-04ccf1573ac5

Expensify/Expensify Issue URL:

Issue reported by: Applause - Internal Team

Slack conversation:

View all open jobs on GitHub

[OSBotify]

:wave: Friendly reminder that deploy blockers are time-sensitive ⏱ issues! Check out the open StagingDeployCash deploy checklist to see the list of PRs included in this release, then work quickly to do one of the following:

1. Identify the pull request that introduced this issue and revert it.
2. Find someone who can quickly fix the issue.
3. Fix the issue yourself.

[melvin-bot[bot]]

Triggered auto assignment to @aldo-expensify (Engineering), see https://stackoverflow.com/c/expensify/questions/4319 for more details.

[0xmiros]

Money request flow is very broken at the moment. This bug is the one I reported in https://github.com/Expensify/App/pull/21877#issuecomment-1624859268 (2nd video) cc: @Beamanator

[aldo-expensify]

I don't think this is related to "Gmail" accounts, but it is related to requesting money to accounts that haven't messaged you back (you don't have the full personal details yet).

This worked:

2. Using any account (i.e. y@gmail.com), open a chat with a Gmail account x@gmail.com and send a message
3. x@gmail.com replies back
4. Using y@gmail.com, request money from x@gmail.com
5. Success!

This didn't work:

2. Using any account (i.e. y@gmail.com), open a chat with a Gmail account z@gmail.com and send a message
3. Using y@gmail.com, request money from z@gmail.com
4. Fail:

Logs: https://www.expensify.com/_devportal/tools/logSearch/#query=request_id%3A%227e4b4165aa3e2da3-YVR%22%20AND%20timestamp%3A%5B2023-07-10T00%3A00%20TO%202023-07-11T23%3A59%5D&index=_all

[aldo-expensify]

The backend is expecting a debtorEmail which we don't send in this case: https://github.com/Expensify/Auth/blob/bbdae8fcc5e6ebb13143e60792b09e437a5aa6d3/auth/command/CreateIOUTransaction.cpp#L37

[aldo-expensify]

This is not a deploy blocker, this also happens in production:

[aldo-expensify]

@Beamanator the backend doesn't seem to support to create money requests by the account ID, what should we do?

1. Modify backend to support creating money requests by account ID and pass from the front end the accountID instead of the email, or
2. Disable creating money requests for accounts you don't have the personal details in the front end

[Beamanator]

@aldo-expensify our plan so far with these types of situations is along the lines of point 2 - BUT not ALWAYS disable - here's what are trying to accomplish:

• If you have a user's personal details w/out login, that person shouldn't be searchable in any contact-search flow (task assignee, new chat, new group, send / receive money, split bill)
• If you type out a person's full email address (you may or may not already have their personal details) you SHOULD be able to do those contact-search flows (task assignee, new chat, split bill, etc).

[Beamanator]

So I don't believe we need to support creating money requests by account ID at the moment - otherwise we'll need to do that everywhere, and @puneetlath and I don't see a need for that if we follow the above plan

[aldo-expensify]

Ok, so we can treat this as an external issue, right? I think it only needs changes in App to disable the "Request Money" button here:

if you don't have the login, right?

If you type out a person's full email address (you may or may not already have their personal details) you SHOULD be able to do those contact-search flows (task assignee, new chat, split bill, etc).

I think this doesn't apply to this case because this is not a search box.

[0xmiros]

Using any account (i.e. y@gmail.com), open a chat with a Gmail account z@gmail.com and send a message Using y@gmail.com, request money from z@gmail.com

Doesn't this mean that user y already knows user z's login (email)?

If you have a user's personal details w/out login, that person shouldn't be searchable in any contact-search flow

[aldo-expensify]

Doesn't this mean that user y already knows user z's login (email)?

Yes, I started a new chat by using the email, but if that user doesn't reply back, then you get the bug.

[0xmiros]

yes, I don't see any reason why "Request money" shouldn't show on DM where user already knows email.

[aldo-expensify]

While I agree with what your are saying, I'm not sure if it is safe to use in all cases. I think that when you start a conversation with an email for the first time, we store that email as "displayName", but it still doesn't have a "login"... so to do what you are saying, we would have to do something like:

• If there is no login, use the displayName as the login only if the displayName is an email.

The problem with that is that the email found in displayName may not be the real email of the account. For example:

• You are in a public room
• An account there you haven't chatted directly with has an email x@gmail.com but a display name y@gmail.com.
• If you assume that the display name is a valid login identifying the account, you are wrong.

[aldo-expensify]

by the way, my understanding is shallow on this area, so @Beamanator or @puneetlath may give a better answer really :P

[Beamanator]

Innnnnteresting, so yeah I may not have been completely following before :D Now I see that this "request money" flow is from WITHIN a chat report that you already created :D

In this case I do think it's totally valid to be able to request money from the account -> because, as @0xmiroslav said, you already know the email (you may not know if an account exists with that email, but you already typed it out so you should be able to also request money from that chat).

So it makes the most sense to me that in this case, you SHOULD be able to request money w/in a chat report.

I do think this can be external since you should be able to get the user's email from Onyx somehow 🤔 since you already typed it out...

[aldo-expensify]

Is it possible to get into a 1:1 chat with a user you found in a public room without knowing their email? I think the answer is no, but I wanted to confirm

[puneetlath]

Yes it is. You can click on their profile (which opens using their accountID) and then chat them from their profile.

[aldo-expensify]

Interesting... then, the following situation can happen:

Setup:

1. Have three accounts: test1@expensifail.com, test2@expensifail.com and realemail@gmail.com
2. Set a display name displayname@gmail.com to the account realemail@gmail.com
3. Create a public room with test1@expensifail.com and get the link to share
4. Open the public room while logged in with realemail@gmail.com and send a message
5. Open the public room while logged in with test2@expensifail.com and start a chat with realemail@gmail.com, which will show as displayname@gmail.com
6. Send a money request to displayname@gmail.com

In this case, sending a money request to displayname@gmail.com will create a money request with a different account and not with realemail@gmail.com. This is why I'm saying here that using the display name to find an email is not reliable.

Do you see this as a problem? What would be the expected result in such case?

I reproduced this case:

From test2@expensifail.com perspective:

Settings from realemail@gmail.com perspective:

[puneetlath]

Oh that's super interesting. Maybe we should prevent people from setting their display name as an email address then? It's fine for us to use an email address as a fallback display name, but maybe we shouldn't let people manually set their display name to be an email address or phone number.

[aldo-expensify]

Oh that's super interesting. Maybe we should prevent people from setting their display name as an email address then? It's fine for us to use an email address as a fallback display name, but maybe we shouldn't let people manually set their display name to be an email address or phone number.

Is this to try to make it work in case someone has not set a display name, so you can see immediately their real email as display name, so we can safely rely on that to create the money request?

It feels more consistent to me to just not allow creating money request if you don't have the login of the person, because, otherwise, you allow money requests on users that have not messaged you back if that user doesn't have a display name set, but you don't allow the request if the user has a display name set.

Related to this... If I start a new chat by using someone's email in the search box, I can see that the personal details contain the login key with the email:

In such case a money request would work correctly, even if this person has not talked back.

[aldo-expensify]

Asking in slack: https://expensify.slack.com/archives/C01GTK53T8Q/p1689623386449679

[aldo-expensify]

I worked a bit on this today, I have two draft PRs:

• https://github.com/Expensify/Web-Expensify/pull/38236
• https://github.com/Expensify/App/pull/23225

The money request works fine. The problem is that the "unknown" account becomes "known" after creating the money request, so it could be exploited to find out the email:

https://github.com/Expensify/App/assets/87341702/5bb96a7c-c6da-45f4-b6fd-7003420f8114

[aldo-expensify]

The setup above:

1. Create three accounts that don't know each other acc001@gmail.com, acc002@gmail.com and acc003@gmail.com
2. acc001@gmail.com creates a workspace + a public room
3. acc002@gmail.com and acc003@gmail.com join the public room and send a message
4. acc002@gmail.com opens a DM chat with acc003@gmail.com and requests money

Bug: after opening different screens of reports related to the money requests, acc002@gmail.com ends up seeing the email acc003@gmail.com

[aldo-expensify]

I think when I open the IOU report details, I get the full personal details of the "unknown" account... I have to verify this.

[daordonez11]

@aldo-expensify in #22074 we have seen that definitively you get access to information like the timezone when the IOU is correctly setup! We had some discussion with @Beamanator regarding if PII was accesible through this flow.

[Beamanator]

yeah innnnnnteresting... It didn't seem like Aldo found that PII like timezone & pronouns were available though, right?

[aldo-expensify]

It didn't seem like Aldo found that PII like timezone & pronouns were available though, right?

I had not defined them. I tested again and yes, you get that information too:

[Beamanator]

Aah shucks ok well you shouldn't have access to that if you don't know them 😅

[aldo-expensify]

I didn't have time today to get to this.

[aldo-expensify]

No updates yet, trying to finish the IOU/expense loading in LHN first, which is higher priority.

[melvin-bot[bot]]

@aldo-expensify Whoops! This issue is 2 days overdue. Let's get this updated quick!

[aldo-expensify]

Same, I'll try to circle back to this later during the week.

[aldo-expensify]

I started investigating this today, I'll continue tomorrow.

[melvin-bot[bot]]

@aldo-expensify Huh... This is 4 days overdue. Who can take care of this?

[melvin-bot[bot]]

@aldo-expensify 6 days overdue. This is scarier than being forced to listen to Vogon poetry!

[aldo-expensify]

Still investigating this in the backend, I'll focus on it tomorrow to get it done.

[aldo-expensify]

No updates, I had little time on Friday to investigate, I'll get back to it asap.

[aldo-expensify]

No progress since the last time, I got pulled from higher priority issues.

[melvin-bot[bot]]

⚠️ Looks like this issue was linked to a Deploy Blocker here

If you are the assigned CME please investigate whether the linked PR caused a regression and leave a comment with the results.

If a regression has occurred and you are the assigned CM follow the instructions here.

If this regression could have been avoided please consider also proposing a recommendation to the PR checklist so that we can avoid it in the future.

[melvin-bot[bot]]

@aldo-expensify Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[aldo-expensify]

No updates, started to focus on pagination. I'll try to get back to it early next week.

[aldo-expensify]

Haven't got back to it yet

[aldo-expensify]

Same ^

[aldo-expensify]

I started investigating this again. It seems like the leak of the personal details is coming from Auth, see this comment: https://github.com/Expensify/Auth/pull/8082/files#r1313647196

[aldo-expensify]

I think I fixed the leak of personal details in the backend: https://github.com/Expensify/Auth/pull/8622

I'll finish up early next week, I have to write some tests, but it appears to me that this fixes the problem: you can now create money request against unknown accounts and they remain unknown

[melvin-bot[bot]]

@aldo-expensify Whoops! This issue is 2 days overdue. Let's get this updated quick!

[aldo-expensify]

I worked in the Auth fix https://github.com/Expensify/Auth/pull/8622 today and added tests. There are some Web-Expensify integration tests that started to fail. I'll have to investigate that.

[melvin-bot[bot]]

@aldo-expensify Huh... This is 4 days overdue. Who can take care of this?

[melvin-bot[bot]]

@aldo-expensify Huh... This is 4 days overdue. Who can take care of this?