Closed francoisl closed 2 months ago
Triggered auto assignment to @sakluger (NewFeature
), see https://stackoverflowteams.com/c/expensify/questions/14418#:~:text=BugZero%20process%20steps%20for%20feature%20requests for more details. Please add this Feature request to a GH project, as outlined in the SO.
:warning: It looks like this issue is labelled as a New Feature but not tied to any GitHub Project. Keep in mind that all new features should be tied to GitHub Projects in order to properly track external CAP software time :warning:
Triggered auto assignment to Design team member for new feature review - @dannymcclain (NewFeature
)
I'll add a few mockups when I have edit access to Figma again.
@francoisl let me know if you need me to mock anything up or take care of anything in Figma! 🤝
Thanks. I got an email from Figma saying that Jon gave me edit access but I still can't seem to edit anything.
Basically I was trying to edit the Initial Setup part of the Xero mockups and add the 2FA flow in between. I was thinking of making two variations:
Super weird. I see that you were upgraded yesterday, but when I went into the file it still said you were requesting access (I gave it to you). I wonder if that file just hadn't been refreshed or something since Jon upgraded you. Anyways, try it again if you want, or I'm happy to do some jammin'.
Added a little flow here in Figma.
I think it's better to tell people "Hey you need to enable 2fa to use xero" so I like including the intermediary modal.
That's great, thanks Danny!
Looks like I was wrong about the sign-in flow and <ValidateLoginPage>
doesn't do what I expected, so we'll also need to make some changes to make people enable 2FA when they sign in. I'm thinking we add an extra step after entering the magic code. Here's a rough draft - Figma here:
I changed the text description, but we can also make it more generic to accommodate the case when people sign in and they need to enable 2FA because they're on a domain group with that requirement.
Ah I see, yeah that makes sense to me!
Looks great to me
Any updates here?
yo yo yo sorry i lost track of this issue. can you please assign it to me?
@francoisl everything tests well but we might have some hiccups on how 2FA works.
For the flow: admin signs in and has a policy connected to Xero.
Expected: the app becomes usable again. Actual: the API call to enable 2FA completes but the 2FA loader spins infinitely. The app is unusable until we do a re-login.
https://github.com/Expensify/App/assets/29673073/3adaee56-4c8c-4b20-b7a2-6e3cc23f16c5
Hm weird. I'll look into this today.
As far as I can tell, it's because the authToken returned by TwoFactorAuth_Validate
is not merged into Onyx before the next API call to ReconnectApp
.
In short, when 2FA is required to be enabled on sign-in like in our case here, the backend will first send an authToken that has very limited permissions - one of the very few API commands it can execute is TwoFactorAuth_Validate
. That API command then returns a "regular" authToken that can execute other API commands.
As an example here, after signing in let's say I get this authToken 0322AAEA4169...
- this is a two-factor setup authToken with limited permissions.
Once I enter an OTP code to enable 2FA, the client calls TwoFactorAuth_Validate
, which returns a new authToken, in this case E6CE5CDF6621...
However, immediately after we see that there is an API call to ReconnectApp
, but for some reason it's still using the limited authToken 0322AAEA4169...
This is why the backend returns an error "Two Factor Authentication Required" and the app doesn't load.
I think the reason we call ReconnectApp before updating the authToken in Onyx is because of that OnyxUpdates.saveUpdateInformation()
call here, though I can't think of how to fix the issue. I tried adding WRITE_COMMANDS.TWO_FACTOR_AUTH_VALIDATE
to const requestsToIgnoreLastUpdateID
but that doesn't fully solve the issue because then we don't call ReconnectApp
at all.
@francoisl thanks for looking into this! i think we'll have to convert TwoFactorAuth_Validate
to API_REQUEST_WITH_SIDE_EFFECTS
. We can then wait for the api call to complete and reconnect the app with the new token
This issue has not been updated in over 15 days. @francoisl, @sakluger, @dannymcclain, @rushatgabhane eroding to Monthly issue.
P.S. Is everyone reading this sure this is really a near-term priority? Be brave: if you disagree, go ahead and close it out. If someone disagrees, they'll reopen it, and if they don't: one less thing to do!
Final PR was just merged earlier today.
⚠️ Looks like this issue was linked to a Deploy Blocker here
If you are the assigned CME please investigate whether the linked PR caused a regression and leave a comment with the results.
If a regression has occurred and you are the assigned CM follow the instructions here.
If this regression could have been avoided please consider also proposing a recommendation to the PR checklist so that we can avoid it in the future.
⚠️ Looks like this issue was linked to a Deploy Blocker here
If you are the assigned CME please investigate whether the linked PR caused a regression and leave a comment with the results.
If a regression has occurred and you are the assigned CM follow the instructions here.
If this regression could have been avoided please consider also proposing a recommendation to the PR checklist so that we can avoid it in the future.
PR was reverted.
@francoisl Could you please assign me this issue so that when the new PR is opened and marked ready puller bear correctly requests my review?
Reviewing
label has been removed, please complete the "BugZero Checklist".
The solution for this issue has been :rocket: deployed to production :rocket: in version 9.0.8-6 and is now subject to a 7-day regression period :calendar:. Here is the list of pull requests that resolve this issue:
If no regressions arise, payment will be issued on 2024-07-25. :confetti_ball:
For reference, here are some details about the assignees on this issue:
BugZero Checklist: The PR adding this new feature has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:
⚠️ Looks like this issue was linked to a Deploy Blocker here
If you are the assigned CME please investigate whether the linked PR caused a regression and leave a comment with the results.
If a regression has occurred and you are the assigned CM follow the instructions here.
If this regression could have been avoided please consider also proposing a recommendation to the PR checklist so that we can avoid it in the future.
I have a few payment-related questions:
@sakluger
The solution for this issue has been :rocket: deployed to production :rocket: in version 9.0.11-5 and is now subject to a 7-day regression period :calendar:. Here is the list of pull requests that resolve this issue:
If no regressions arise, payment will be issued on 2024-08-01. :confetti_ball:
For reference, here are some details about the assignees on this issue:
BugZero Checklist: The PR adding this new feature has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:
@sakluger i think 500 would be great because it was hard to nail down the nitty gritty of this task.
@c3024 could you please add regression test steps
Have an account A
that
P
A
P
specified in the pre-requisite > Click on Accounting in the left hand panelConnect Xero
Have an account A
that
A
Enable Two Factor Authentication
button on the modalTwo Factor Authentication
in the center panel and complete the 2FA setup flowInbox
Can I get a payment summary on this issue?
Sorry about that! I missed it because it wasn't automatically moved to Daily.
I chatted with @francoisl via DM to figure out what was going on here. We won't penalize for regressions here because the app was already unusable if you were an admin on a Xero workspace prior to the first PR.
Regarding price, we both thought that $500 was a bit high, but given the trickiness, we'll pay $375 - a bit more than the standard $250.
Job added to Upwork: https://www.upwork.com/jobs/~01f129776196b2ac5f
Current assignees @rushatgabhane and @c3024 are eligible for the External assigner, not assigning anyone new.
Upwork job price has been updated to $375
@JmillsExpensify the payment summary is ready: https://github.com/Expensify/App/issues/43015#issuecomment-2263664335
$375 approved for @rushatgabhane
I completed the payment to @c3024 via Upwork.
Problem
In order to remain compliant with Xero's third-party app requirements, we need to force workspace admins to enable 2FA before they can use the connection.
Additional internal context
Solution
For new connections:
For existing connections:
cc @lakchote @zanyrenney
View all open jobs on GitHub
Issue Owner
Current Issue Owner: @Upwork Automation - Do Not Edit