Expensify / App

Welcome to New Expensify: a complete re-imagination of financial collaboration, centered around chat. Help us build the next generation of Expensify by sharing feedback and contributing to the code.

https://new.expensify.com

MIT License

3.5k stars 2.85k forks source link

Add a step to to Request Physical Card form that collects a magic code #50967

Open NikkiWines opened 1 week ago

NikkiWines commented 1 week ago

Problem

Someone can issue a physical or virtual Expensify card without verifying they are the owner of the account. This relates to an internal security issue.

Why this is important to solve

This is a security vulnerability that can be taken advantage of if an account is compromised.

Solution

Collect a magic code when requesting a physical Expensify card. In a little more detail:

The API command to be updated is here
It should have a new parameter called validateCode that is passed to the server
In order to do this, anything callling BaseGetPhysicalCard needs a new step to gather a magic code from the user (we should have existing components that can be reused for this)

Issue Owner

Current Issue Owner: @situchan

melvin-bot[bot] commented 1 week ago

Triggered auto assignment to Contributor-plus team member for initial proposal review - @situchan (External)

melvin-bot[bot] commented 1 week ago

Triggered auto assignment to @sakluger (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

NikkiWines commented 1 week ago

cc: @mountiny, sounds like from this we're still working on the re-usable component for requesting a validateCode, is that correct?

hungvu193 commented 1 week ago

Not sure why I'm getting notification for this issue but yeah we have an issue for this kind of flow. It's being worked on by @getusha in https://github.com/Expensify/App/pull/49445.

mountiny commented 1 week ago

correct, @getusha is working on the reusable component here https://github.com/Expensify/App/pull/49445

sakluger commented 1 week ago

Should we assign @getusha to this issue, or is this issue a duplicate, or do we still need someone else for this one?

mountiny commented 1 week ago

I think we can, or @hungvu193 do you want to take on the implementation here?

hungvu193 commented 1 week ago

Ok, I can take it.

mountiny commented 1 week ago

Happy to help as CME

hungvu193 commented 1 week ago

Draft PR is here. It's based on https://github.com/Expensify/App/pull/49445 so I will wait for https://github.com/Expensify/App/pull/49445 to be merged.

mountiny commented 6 days ago

Not overdue

mountiny commented 6 days ago

The PR was merged, can you sync up with main and make the PR ready for a review @hungvu193? Thank you!

hungvu193 commented 6 days ago

Sure thing. Also @NikkiWines I noticed that currently we can pass any validate code and BE still returns success response. I think we still need to update BE right?

NikkiWines commented 5 days ago

Yep, there's a backend change in the works, it's the last thing we'll update though so as to not break any front-end flows that still need changing

hungvu193 commented 5 days ago

Cool. I merged FE's PR with main, it's basically ready, only handling error left.

melvin-bot[bot] commented 5 days ago

@sakluger, @hungvu193, @mountiny, @situchan Whoops! This issue is 2 days overdue. Let's get this updated quick!

situchan commented 5 days ago

Not overdue

hungvu193 commented 3 days ago

Please let me know when BE is ready so I can update the FE's PR @NikkiWines

NikkiWines commented 3 days ago

Will do! We're waiting on another PR but it's in the works