Open tgolen opened 1 week ago
Triggered auto assignment to Contributor-plus team member for initial proposal review - @hungvu193 (External
)
Triggered auto assignment to @trjExpensify (Bug
), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.
Add a step to the Issue New Card form that collects a magic code
This is a new feature request
IssueNewCardPage
like ValidationStep
. If this step is after the confirmation step, we should move the logic call API to the ValidationStep
. If this step is before the confirmation step we will store the validation code data in issueNewCard?.data
then pass it herevalidationCode
param hereValidationStep
, we can use ValidateCodeActionModal
with isVisible
as true
. The way to use it as we do hereThe details can be discussed in the PR phrase. I can create a test branch if we need
NA
Should we work on this issue under Workspace Feed
project instead @trjExpensify ?
@nkdengineer thanks! I was thinking the magic code should probably be the first step. My thinking is that there isn't much sense in letting the user fill out the rest of the form if they can't get past the magic code.
@tgolen If we do that we need an API to help the user verrify before moving to the next step.
@tgolen I am working on a simpler proposal for this one, please wait assignment for few minutes
Add a step to the Issue New Card form that collects a magic code
This is a feature request.
We can follow the same pattern we used for delegates here, we already have the requestValidationCode
api command:
NOTE: We always ask for validation code at the confirm step (Like delegates), so to match the app existing approach, we should ask it at the last.
requestValidationCode
.Then like we do in delegates, we can send the validation code with the api: https://github.com/Expensify/App/blob/4c90d62a6a56ff0000031eceeb9195d30a041a8a/src/pages/settings/Security/AddDelegate/ValidateCodeForm/BaseValidateCodeForm.tsx#L152
if (cardType === CONST.EXPENSIFY_CARD.CARD_TYPE.PHYSICAL) {
API.write(WRITE_COMMANDS.CREATE_EXPENSIFY_CARD, {...parameters, feedCountry, validateCode});
return;
}
const domainAccountID = PolicyUtils.getWorkspaceAccountID(policyID);
// eslint-disable-next-line rulesdir/no-multiple-api-calls
API.write(WRITE_COMMANDS.CREATE_ADMIN_ISSUED_VIRTUAL_CARD, {...parameters, domainAccountID, validateCode});
Or we can include that code in the parameters itself. We ned to add a validateCode
prop to issueExpensifyCard
, if the code validation fails we already have the checks in the BaseValidateCodeForm
so we can use most of the logic from there
NOTE: we also need to make changes to the number of steps back to routes etc. all that can be done in the PR phase
ValidateCodeActionModal
is useful because requestValidateCodeAction
API when it is renderedIf this step is after the confirmation step, we should move the logic call API to the ValidationStep
To create ValidationStep, we can use ValidateCodeActionModal with isVisible as true. The way to use it as we do here
ValidateCodeActionModal
in the confirmation page and will open this modal when we click on the confirmation button
- Using
ValidateCodeActionModal
is useful because
- It had the logic to call
requestValidateCodeAction
API when it is rendered- It had a separate file for the Android platform
- It's also used in other places of the app
If this step is after the confirmation step, we should move the logic call API to the ValidationStep
To create ValidationStep, we can use ValidateCodeActionModal with isVisible as true. The way to use it as we do here
- I notice that the idea of the last proposal is similar to what I proposed
- If we don't want to create a new step we can add
ValidateCodeActionModal
in the confirmation page and will open this modal when we click on the confirmation button
I also agree with @nkdengineer at this point. We also have a PR to reuse ValidateCodeModal as much as possible here. (https://github.com/Expensify/App/pull/49445)
Yeah, that's right, we should reuse those existing components as much as possible. It sounds like this should work:
If we don't want to create a new step we can add ValidateCodeActionModal in the confirmation page and will open this modal when we click on the confirmation button
Yeah. I think we can go with @nkdengineer 's proposal here
I want to highlight that @getusha and @hungvu193 are working on making the component for the magic code easier to reuse https://github.com/Expensify/App/pull/49445, but it has been proving tricky and taking a bit of time
Thanks for the heads up @mountiny. Do you want to hold off on doing anything here until that's settled? Or is there something that we can do in this PR that maybe helps the progress of making it easier to reuse?
Problem
Someone can issue a physical or virtual Expensify card without verifying they are the owner of the account. This relates to an internal security issue.
Why this is important to solve
This is a security vulnerability which can be taken advantage of if an account is compromised.
Solution
Collect a magic code when issuing physical or virtual Expensify cards. In a little more detail:
validateCode
that is passed to the serverIssueNewCardPage
needs a new step to gather a magic code from the user (we should have existing components that can be reused for this)Issue Owner
Current Issue Owner: @hungvu193