melvin-bot[bot]
commented
1 week ago Triggered auto assignment to Contributor-plus team member for initial proposal review - @hungvu193 (External)
Open tgolen opened 1 week ago
melvin-bot[bot]
commented
1 week ago Triggered auto assignment to Contributor-plus team member for initial proposal review - @hungvu193 (External)
melvin-bot[bot]
commented
1 week ago Triggered auto assignment to @trjExpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.
nkdengineer
commented
1 week ago Add a step to the Issue New Card form that collects a magic code
This is a new feature request
IssueNewCardPage like ValidationStep. If this step is after the confirmation step, we should move the logic call API to the ValidationStep. If this step is before the confirmation step we will store the validation code data in issueNewCard?.data then pass it herevalidationCode param hereValidationStep, we can use ValidateCodeActionModal with isVisible as true. The way to use it as we do hereThe details can be discussed in the PR phrase. I can create a test branch if we need
NA
allgandalf
commented
1 week ago Should we work on this issue under Workspace Feed project instead @trjExpensify ?
tgolen
commented
1 week ago @nkdengineer thanks! I was thinking the magic code should probably be the first step. My thinking is that there isn't much sense in letting the user fill out the rest of the form if they can't get past the magic code.
nkdengineer
commented
1 week ago @tgolen If we do that we need an API to help the user verrify before moving to the next step.
twilight2294
commented
1 week ago @tgolen I am working on a simpler proposal for this one, please wait assignment for few minutes
twilight2294
commented
1 week ago Add a step to the Issue New Card form that collects a magic code
This is a feature request.
We can follow the same pattern we used for delegates here, we already have the requestValidationCode api command:
NOTE: We always ask for validation code at the confirm step (Like delegates), so to match the app existing approach, we should ask it at the last.
requestValidationCode.Then like we do in delegates, we can send the validation code with the api: https://github.com/Expensify/App/blob/4c90d62a6a56ff0000031eceeb9195d30a041a8a/src/pages/settings/Security/AddDelegate/ValidateCodeForm/BaseValidateCodeForm.tsx#L152
if (cardType === CONST.EXPENSIFY_CARD.CARD_TYPE.PHYSICAL) {
API.write(WRITE_COMMANDS.CREATE_EXPENSIFY_CARD, {...parameters, feedCountry, validateCode});
return;
}
const domainAccountID = PolicyUtils.getWorkspaceAccountID(policyID);
// eslint-disable-next-line rulesdir/no-multiple-api-calls
API.write(WRITE_COMMANDS.CREATE_ADMIN_ISSUED_VIRTUAL_CARD, {...parameters, domainAccountID, validateCode});Or we can include that code in the parameters itself. We ned to add a validateCode prop to issueExpensifyCard, if the code validation fails we already have the checks in the BaseValidateCodeForm so we can use most of the logic from there
NOTE: we also need to make changes to the number of steps back to routes etc. all that can be done in the PR phase
nkdengineer
commented
1 week ago ValidateCodeActionModal is useful because requestValidateCodeAction API when it is renderedIf this step is after the confirmation step, we should move the logic call API to the ValidationStep
To create ValidationStep, we can use ValidateCodeActionModal with isVisible as true. The way to use it as we do here
ValidateCodeActionModal in the confirmation page and will open this modal when we click on the confirmation buttontwilight2294
commented
1 week ago 
hungvu193
commented
1 week ago
- Using
ValidateCodeActionModalis useful because
- It had the logic to call
requestValidateCodeActionAPI when it is rendered- It had a separate file for the Android platform
- It's also used in other places of the app
If this step is after the confirmation step, we should move the logic call API to the ValidationStep
To create ValidationStep, we can use ValidateCodeActionModal with isVisible as true. The way to use it as we do here
- I notice that the idea of the last proposal is similar to what I proposed
- If we don't want to create a new step we can add
ValidateCodeActionModalin the confirmation page and will open this modal when we click on the confirmation button
I also agree with @nkdengineer at this point. We also have a PR to reuse ValidateCodeModal as much as possible here. (https://github.com/Expensify/App/pull/49445)
tgolen
commented
1 week ago Yeah, that's right, we should reuse those existing components as much as possible. It sounds like this should work:
If we don't want to create a new step we can add ValidateCodeActionModal in the confirmation page and will open this modal when we click on the confirmation button
hungvu193
commented
6 days ago Yeah. I think we can go with @nkdengineer 's proposal here
mountiny
commented
5 days ago I want to highlight that @getusha and @hungvu193 are working on making the component for the magic code easier to reuse https://github.com/Expensify/App/pull/49445, but it has been proving tricky and taking a bit of time
tgolen
commented
5 days ago Thanks for the heads up @mountiny. Do you want to hold off on doing anything here until that's settled? Or is there something that we can do in this PR that maybe helps the progress of making it easier to reuse?
Problem
Someone can issue a physical or virtual Expensify card without verifying they are the owner of the account. This relates to an internal security issue.
Why this is important to solve
This is a security vulnerability which can be taken advantage of if an account is compromised.
Solution
Collect a magic code when issuing physical or virtual Expensify cards. In a little more detail:
validateCodethat is passed to the serverIssueNewCardPageneeds a new step to gather a magic code from the user (we should have existing components that can be reused for this)Issue Owner
Current Issue Owner: @hungvu193