[$250] Pay someone - User is signed out after verifying account during pay someone flow

[IuliiaHerets]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: 9.0.45-2 Reproducible in staging?: Y Reproducible in production?: N/A - new feature, doesn't exist in prod Issue was found when executing this PR: https://github.com/Expensify/App/pull/50169 Email or phone of affected tester (no customers): yonghongkok2+sddwe23@gmail.com Issue reported by: Applause Internal Team

Action Performed:

1. Go to staging.new.expensify.com
2. Log in with a new Gmail account.
3. Complete the onboarding.
4. Open DM with any user.
5. Click + > Pay someone.
6. Select currency in USD, enter amount and click Next.
7. Click Pay with Expensify.
8. Enter the correct magic code.

Expected Result:

User will not be signed out after verifying account during pay someone flow.

Actual Result:

User is signed out after verifying account during pay someone flow.

Workaround:

Unknown

Platforms:

• [x] Android: Native
• [x] Android: mWeb Chrome
• [x] iOS: Native
• [x] iOS: mWeb Safari
• [x] MacOS: Chrome / Safari
• [x] MacOS: Desktop

Screenshots/Videos

https://github.com/user-attachments/assets/07ce4b74-bdbb-456e-80f3-604cc36cb631

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~021843360929752935358
• Upwork Job ID: 1843360929752935358
• Last Price Increase: 2024-10-14

Issue Owner

Current Issue Owner: @arosiclair

[melvin-bot[bot]]

Triggered auto assignment to @zanyrenney (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[melvin-bot[bot]]

Triggered auto assignment to @arosiclair (DeployBlockerCash), see https://stackoverflowteams.com/c/expensify/questions/9980/ for more details.

[github-actions[bot]]

:wave: Friendly reminder that deploy blockers are time-sensitive ⏱ issues! Check out the open `StagingDeployCash` deploy checklist to see the list of PRs included in this release, then work quickly to do one of the following:

1. Identify the pull request that introduced this issue and revert it.
2. Find someone who can quickly fix the issue.
3. Fix the issue yourself.

[arosiclair]

I reproduced on staging v9.0.45-2 and not on prod v9.0.44-12 (the original bug from https://github.com/Expensify/App/issues/49523 is still present).

[arosiclair]

This is actually not reproducible in dev with the latest changes on main.

[ikevin127]

We discussed this issue here in https://github.com/Expensify/App/issues/48041#issuecomment-2394985903 since that was the issue which introduced the new validation route logic.

Looks like the cause of the logout is/was that when we input the magic code, one of the API endpoints is called with the old / outdated authToken from when the account was not validated.

The issue seems unrelated to the PR I reviewed and more related to the PR that introduced the new validation route logic.

If we were to follow-up with a fix and pinpoint the offending PR, that would be https://github.com/Expensify/App/pull/49230 even if the logout issue did not pop-up while testing issue https://github.com/Expensify/App/issues/48041.

The fix for this should be something along the lines of making sure that once the magic code was provided in the new route, we make sure to clear the old authToken before making any API calls post-validation.

This can be done either on FE or BE.

Please, correct me if any of my above statements are wrong!

This is actually not reproducible in dev with the latest changes on main.

I'll have to double check, but if the issue is indeed not reproducible anymore, can we assume that this was fixed from the BE side ? 🤔

[arosiclair]

I can't verify locally, but reverting https://github.com/Expensify/App/pull/50169 would probably restore the behavior on prod (the not found page). However, I'm not sure that's really "better" than what we have now (forced logout but working after logging back in). I think the best path forward is to not block on this and use this issue to investigate and fix the problem.

[arosiclair]

The issue seems unrelated to the PR I reviewed and more related to the PR that introduced the new validation route logic.

@ikevin127 FWIW, I agree the root problem is probably not caused by the PR you reviewed, however that PR is what ultimately introduced this bug. I think we should have caught this before merging (the whole flow should've been tested).

[melvin-bot[bot]]

Job added to Upwork: https://www.upwork.com/jobs/~021843360929752935358

[melvin-bot[bot]]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @sobitneupane (External)

[ikevin127]

That's right, unfortunately I only tested the actual validation post-merge :trollface:

♻️ Edit: The issue is still reproducible on both local dev and staging so I guess we're looking for proposals .

reverting https://github.com/Expensify/App/pull/50169 would probably restore the behavior on prod (the not found page). However, I'm not sure that's really "better" than what we have now (forced logout but working after logging back in). I think the best path forward is to not block on this and use this issue to investigate and fix the problem.

Indeed, I also think that the current behaviour is better then the "Not found page" but still we shouldn't be logged out.

[jestinjoshi]

@arosiclair @ikevin127 based on my investigation, this appears to be a backend issue. It seems that the Onyx key credentials isn’t being populated with the autoGeneratedLogin and autoGeneratedPassword values during the sign-up process.

[ikevin127]

As I mentioned in offending issue https://github.com/Expensify/App/issues/49523#issuecomment-2400732507:

@isabelastisser Yes, we had the following regression:

• https://github.com/Expensify/App/issues/50284

which was caused by lack of testing on both PR reviewer and author sides. The issue mentioned above is open for proposals, unless the author wants to fix the issue given that we're still within the regression period.

Note: The issue was that we relied on the other PRs implementation of the new route without actually testing if the implementation works, ignoring this issue's Expected result which states Add bank account page should open as we stopped the testing at "seeing the magic code input showing up in RHP".

So unless the author wants to fix this, we're open for proposals. Peace out ✌️

[melvin-bot[bot]]

@arosiclair, @sobitneupane, @zanyrenney Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[arosiclair]

I spent a little time looking into this. Some notes:

• We're using ValidateSecondaryLogin on the VerifyAccountPage even though this is for the primary login of a new account
• We're not setting a backTo route in the Pay someone flow here
• Daledah is probably right here about the root cause:
  1. We call ValidateSecondaryLogin which updates our authToken
  2. We immediately call GetMissingOnyxMessages with the old authToken
  3. GetMissingOnyxMessages returns jsonCode 407
  4. We call Authenticate but with empty partnerUserID and partnerUserSecret
  5. Authenticate returns 404 and signs us out

[melvin-bot[bot]]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[arosiclair]

Okay the credentials (partnerUserID and secret) are cleared by the SignUpUser command since we added the unvalidated sign up flow in this PR.

I'm not sure what's the correct way to handle this in product validation flow. I'm going to start a discussion about it.

[zanyrenney]

Thanks @arosiclair please link the discussion here so it's clear what the status is for us following along.

[arosiclair]

Started the discussion here

[zanyrenney]

Thanks!

[sobitneupane]

https://github.com/Expensify/App/issues/50284#issuecomment-2411871878

[arosiclair]

Taking this internal for now