Skip to content

Bring back validateCode reasonCode#96224

Open
chuckdries wants to merge 1 commit into
mainfrom
chuckdries/bring-back-reasonCode
Open

Bring back validateCode reasonCode#96224
chuckdries wants to merge 1 commit into
mainfrom
chuckdries/bring-back-reasonCode

Conversation

@chuckdries

@chuckdries chuckdries commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Revert #96134, thus un-reverting #90726. It's the same exact changeset as before, but the backend handling is fixed for the reveal card details case. The original PR description is reproduced below.

Explanation of Change

Magic code emails currently show a generic line "This code was requested because someone is trying to log in to your account or access a secure feature". The goal is to show the reason the code was requested (with instance-specific data where applicable) and to omit the sign-in button when the request isn't a login.

To do that, the backend needs to know why a magic code was requested. This PR plumbs a reasonCode (and, where required, supporting params like reasonCardID) from each App call site that triggers a magic code, through resendValidateCode / requestValidateCodeAction, into the RESEND_VALIDATE_CODE / REQUEST_NEW_VALIDATE_CODE API commands. The backend uses the reasonCode to build the per-reason email copy and show or hide the signin button

Reason codes covered in this PR:

reasonCode Resulting email copy Sign-in button Call sites
sign_in "Sign in to your Expensify account" shown ChooseSSOOrMagicCode, BaseValidateCodeForm
validate_account "Verify that this contact method can be used to reach you" hidden VerifyAccountPageBase (see note — fans out to ~15 account-level gates), BaseOnboardingPrivateDomain
add_contact_method "Add a new contact method to your account" hidden NewContactMethodConfirmMagicCodePage
reveal_card_details (+ reasonCardID) "Reveal details for your Expensify card ending in NNNN" or "Reveal your Travel CVV" hidden ExpensifyCardVerifyAccountPage, TravelCVVVerifyAccountPage
null (explicitly passed) generic fallback ("...log in to your account or access a secure feature") hidden BaseOnboardingWorkEmailValidation, WorkspaceVerifyWorkAccountPage, WorkspaceExpensifyCardVerifyWorkAccountPage (all work-email account merge — not yet implemented)
none (requestValidateCodeAction() with no args) generic fallback (same as above) hidden ConfirmDelegateMagicCodePage, UpdateDelegateMagicCodePage, PrivatePersonalDetailsConfirmMagicCodePage, SetDefaultContactMethodConfirmMagicCodePage, ReportVirtualCardFraudVerifyAccountPage, ReportCardLostConfirmMagicCodePage, MissingPersonalDetailsMagicCodePage, IssueNewCardConfirmMagicCodePage, MultifactorAuthentication/ValidateCodePage, MultifactorAuthenticationMainContext

Type safety: ResendValidateCodeParams is a discriminated union. reveal_card_details requires a reasonCardID; the other reasons forbid extra params; null is a temporary escape hatch (ResendValidateCodeNotYetImplementedParams) for the one flow whose reason isn't modeled yet. This makes it a compile error to request a card-reveal code without a card ID.

Note

VerifyAccountPageBase coverage is broad. It exposes no sendValidateCode prop — the validate_account reason is set internally — so the single change there covers every account-level one-time validation gate that wraps it (~15 routes): add delegate/copilot, enable 2FA, company-card feed, bank account for wallet/reimbursements, invoicing bank account, workspace domain, international deposit country, travel access, create/confirm money request, report/expense-report/search actions, and enable wallet. Testing one of these wrappers exercises them all; the rest only need a spot check.

Note

This is intentionally not a complete migration of every magic-code call site. Auth/Web-E treat an empty/null reasonCode as legacy and fall back to the generic copy, so un-migrated callers are unaffected. A follow-up will cover the remaining reasons and then tighten reasonCode to required on the backend.

Known deferred gate: "Verify a newly added contact method" (ContactMethodDetailsPage) is a validate_account-semantics email that this PR leaves on the generic fallback. It calls requestContactMethodValidateCode, which writes the separate REQUEST_CONTACT_METHOD_VALIDATE_CODE command — a different command/param type than the RESEND_VALIDATE_CODE / REQUEST_NEW_VALIDATE_CODE paths this PR plumbs. Carrying a reason there requires plumbing that third command, deferred to the follow-up.

Fixed Issues

$ https://github.com/Expensify/Expensify/issues/623748
PROPOSAL:

Tests

1. sign_in — login via magic code (resend)

  1. Sign out. On the sign-in page, enter an email and continue to the magic code step.
  2. On the magic code form, click Resend (BaseValidateCodeForm).
  3. Verify the email reads "...someone is trying to: • Sign in to your Expensify account".
  4. Verify the sign-in button is present at the bottom and the "Or just sign in below." line is shown.
  5. Verify that the magic code is accepted.

2. sign_in — SSO "Use magic code"

  1. Sign out. Enter an email on an SSO-enabled domain and continue.
  2. On the "Choose SSO or magic code" screen, click Use magic code (ChooseSSOOrMagicCode).
  3. Verify the email reads "...someone is trying to: • Sign in to your Expensify account".
  4. Verify the sign-in button is present at the bottom and the "Or just sign in below." line is shown.
  5. Verify that the magic code is accepted.

3. add_contact_method — add a new contact method

  1. Settings > Profile > Contact methods > New contact method.
  2. Verify the email you receive reads "...trying to: • Add a new contact method to your account".
  3. Verify no sign-in button is rendered.
  4. Verify that the magic code is accepted.

4. validate_account — validate the newly-added contact method

  1. Continuing from step 5 of the test above, enter an email or phone number
  2. Enter a new email/phone and continue to the magic code confirmation page
  3. Verify the email you receive has the subject "Verify secondary email for Expensify" and looks different from all the other magic code emails
  4. Verify that the magic code is accepted

5. reveal_card_details — virtual Expensify card

  1. Settings > Wallet > a virtual Expensify card > press Reveal under Virtual card number.
  2. Verify the email reads "...trying to: • Reveal details for your Expensify card ending in NNNN", where NNNN matches the last four of the card.
  3. Verify no sign-in button is rendered.
  4. Verify that the magic code is accepted.

6. reveal_card_details — Travel CVV

  1. With a travel-invoicing card present, go to Wallet > Travel CVV
  2. Verify the email reads "...trying to: • Reveal your Travel CVV".
  3. Verify no sign-in button is rendered.
  4. Verify that the magic code is accepted.

The four cases below all send validate_account. Each ends with the same three assertions:
(A) the email reads "...someone is trying to: • Verify that this contact method can be used to reach you"
(B) no sign-in button is rendered
(C) the magic code is accepted
All of these gates only fire for an account whose login is not yet validated — use a freshly created test account so the gate appears.

7. validate_account — account-level gate via VerifyAccountPageBase (represented by Enable 2FA)

Every account-level gate in the coverage note routes through VerifyAccountPageBase, so this one case represents all 15. 2FA is the easiest to reach.

  1. Sign in as an unvalidated account.
  2. Go to Settings > Security > Two-factor authentication.
  3. Make sure that you are prompted for a magic code.
  4. Assert (A) and (B) and (C).
  5. Spot check (optional): repeat via one other wrapper — e.g. Settings > Security > Add copilot (settings/security/delegate/verify-account) and confirm identical copy, proving the shared path.

8. validate_account — onboarding private domain (BaseOnboardingPrivateDomain)

This page only renders during onboarding when the account is on a private domain that already has at least one accessible workspace, and of course if the account is unvalidated. That's tricky because if the domain is validated, App will challenge you for a magic code at signin time because your account is considered domainControlled. So you need a private domain that is not validated but you can actually receive emails to.

  1. Ensure your test domain already has a workspace with at least one member on that domain.
  2. Sign up / onboard a new account using a different email on that same private domain
  3. Proceed through onboarding until the "private domain" validation step appears.
  4. Assert (A) and (B) and (C).
  • Verify that no errors appear in the JS console

Offline tests

None

QA Steps

Same as tests

  • Verify that no errors appear in the JS console

PR Author Checklist

  • I linked the correct issue in the ### Fixed Issues section above
  • I wrote clear testing steps that cover the changes made in this PR
    • I added steps for local testing in the Tests section
    • I added steps for the expected offline behavior in the Offline steps section
    • I added steps for Staging and/or Production testing in the QA steps section
    • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
    • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
    • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
  • I included screenshots or videos for tests on all platforms
  • I ran the tests on all platforms & verified they passed on:
    • Android: Native
    • Android: mWeb Chrome
    • iOS: Native
    • iOS: mWeb Safari
    • MacOS: Chrome / Safari
  • I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
  • I followed proper code patterns (see Reviewing the code)
    • I verified that comments were added to code that is not self explanatory
    • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
    • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
  • I followed the guidelines as stated in the Review Guidelines
  • I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
  • If a new CSS style is added I verified that:
    • A similar style doesn't already exist
    • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
  • If new assets were added or existing ones were modified, I verified that:
    • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
    • The assets load correctly across all supported platforms.
  • If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
  • If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
  • If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
  • If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
  • If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
    • I verified that all the inputs inside a form are aligned with each other.
    • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
  • I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
  • If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

All tests were re-performed today, 2026-07-15

1. Sign in
reasonCode.app.revert.1.sign.in.mp4
2. sign in on SSO enabled domain
reasonCode.app.revert.2.sso.sign.in.mp4
3. add contact method gate
reasonCode.app.revert.3.add_contact_method.mp4
4. validate newly added contact method
reasonCode.app.revert.4.validate_account.mp4
5. reveal card details
reasonCode.app.revert.5.reveal_card_details.mp4
6. reveal travel CVV

Note that this one isn't really testable in dev, but it's enough to check the notification in the db and that the form doesn't immediately reject the validate code

reasonCode.app.revert.6.travel.cvv.mp4
7. unverified account validation gate
reasonCode.app.revert.7.validation.gate.mp4
8. private domain onboarding
reasonCode.app.revert.8.private.domain.onboarding.mp4

…ies/validateCode-reasonCode"

This reverts commit b23a0ba, reversing
changes made to 0032e48.
@chuckdries chuckdries requested a review from daledah July 15, 2026 21:49
@chuckdries chuckdries self-assigned this Jul 15, 2026
@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

@chuckdries chuckdries marked this pull request as ready for review July 15, 2026 22:51
@chuckdries chuckdries requested review from a team as code owners July 15, 2026 22:51
@melvin-bot melvin-bot Bot requested review from ZhenjaHorbach and removed request for a team July 15, 2026 22:51
@melvin-bot

melvin-bot Bot commented Jul 15, 2026

Copy link
Copy Markdown

@ZhenjaHorbach Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

@melvin-bot melvin-bot Bot requested review from flaviadefaria and removed request for a team July 15, 2026 22:51
@chuckdries chuckdries removed the request for review from ZhenjaHorbach July 15, 2026 22:51
@chuckdries

Copy link
Copy Markdown
Contributor Author

I'm gonna have @daledah review this since he has context from reviewing the first one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant