Open NikkiWines opened 1 week ago
Triggered auto assignment to Contributor-plus team member for initial proposal review - @situchan (External
)
Triggered auto assignment to @sakluger (Bug
), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.
cc: @mountiny, sounds like from this we're still working on the re-usable component for requesting a validateCode, is that correct?
Not sure why I'm getting notification for this issue but yeah we have an issue for this kind of flow. It's being worked on by @getusha in https://github.com/Expensify/App/pull/49445.
correct, @getusha is working on the reusable component here https://github.com/Expensify/App/pull/49445
Should we assign @getusha to this issue, or is this issue a duplicate, or do we still need someone else for this one?
I think we can, or @hungvu193 do you want to take on the implementation here?
Ok, I can take it.
Happy to help as CME
Draft PR is here. It's based on https://github.com/Expensify/App/pull/49445 so I will wait for https://github.com/Expensify/App/pull/49445 to be merged.
Not overdue
The PR was merged, can you sync up with main and make the PR ready for a review @hungvu193? Thank you!
Sure thing. Also @NikkiWines I noticed that currently we can pass any validate code and BE still returns success response. I think we still need to update BE right?
Yep, there's a backend change in the works, it's the last thing we'll update though so as to not break any front-end flows that still need changing
Cool. I merged FE's PR with main, it's basically ready, only handling error left.
@sakluger, @hungvu193, @mountiny, @situchan Whoops! This issue is 2 days overdue. Let's get this updated quick!
Not overdue
Please let me know when BE is ready so I can update the FE's PR @NikkiWines
Will do! We're waiting on another PR but it's in the works
Problem
Someone can issue a physical or virtual Expensify card without verifying they are the owner of the account. This relates to an internal security issue.
Why this is important to solve
This is a security vulnerability that can be taken advantage of if an account is compromised.
Solution
Collect a magic code when requesting a physical Expensify card. In a little more detail:
validateCode
that is passed to the serverBaseGetPhysicalCard
needs a new step to gather a magic code from the user (we should have existing components that can be reused for this)Issue Owner
Current Issue Owner: @situchan