Bring back validateCode reasonCode#96224
Open
chuckdries wants to merge 1 commit into
Open
Conversation
Codecov Report✅ Changes either increased or maintained existing code coverage, great job!
|
|
@ZhenjaHorbach Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button] |
Contributor
Author
|
I'm gonna have @daledah review this since he has context from reviewing the first one |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Revert #96134, thus un-reverting #90726. It's the same exact changeset as before, but the backend handling is fixed for the reveal card details case. The original PR description is reproduced below.
Explanation of Change
Magic code emails currently show a generic line "This code was requested because someone is trying to log in to your account or access a secure feature". The goal is to show the reason the code was requested (with instance-specific data where applicable) and to omit the sign-in button when the request isn't a login.
To do that, the backend needs to know why a magic code was requested. This PR plumbs a
reasonCode(and, where required, supporting params likereasonCardID) from each App call site that triggers a magic code, throughresendValidateCode/requestValidateCodeAction, into theRESEND_VALIDATE_CODE/REQUEST_NEW_VALIDATE_CODEAPI commands. The backend uses thereasonCodeto build the per-reason email copy and show or hide the signin buttonReason codes covered in this PR:
reasonCodesign_inChooseSSOOrMagicCode,BaseValidateCodeFormvalidate_accountVerifyAccountPageBase(see note — fans out to ~15 account-level gates),BaseOnboardingPrivateDomainadd_contact_methodNewContactMethodConfirmMagicCodePagereveal_card_details(+reasonCardID)ExpensifyCardVerifyAccountPage,TravelCVVVerifyAccountPagenull(explicitly passed)BaseOnboardingWorkEmailValidation,WorkspaceVerifyWorkAccountPage,WorkspaceExpensifyCardVerifyWorkAccountPage(all work-email account merge — not yet implemented)requestValidateCodeAction()with no args)ConfirmDelegateMagicCodePage,UpdateDelegateMagicCodePage,PrivatePersonalDetailsConfirmMagicCodePage,SetDefaultContactMethodConfirmMagicCodePage,ReportVirtualCardFraudVerifyAccountPage,ReportCardLostConfirmMagicCodePage,MissingPersonalDetailsMagicCodePage,IssueNewCardConfirmMagicCodePage,MultifactorAuthentication/ValidateCodePage,MultifactorAuthenticationMainContextType safety:
ResendValidateCodeParamsis a discriminated union.reveal_card_detailsrequires areasonCardID; the other reasons forbid extra params;nullis a temporary escape hatch (ResendValidateCodeNotYetImplementedParams) for the one flow whose reason isn't modeled yet. This makes it a compile error to request a card-reveal code without a card ID.Note
VerifyAccountPageBasecoverage is broad. It exposes nosendValidateCodeprop — thevalidate_accountreason is set internally — so the single change there covers every account-level one-time validation gate that wraps it (~15 routes): add delegate/copilot, enable 2FA, company-card feed, bank account for wallet/reimbursements, invoicing bank account, workspace domain, international deposit country, travel access, create/confirm money request, report/expense-report/search actions, and enable wallet. Testing one of these wrappers exercises them all; the rest only need a spot check.Note
This is intentionally not a complete migration of every magic-code call site. Auth/Web-E treat an empty/
nullreasonCodeas legacy and fall back to the generic copy, so un-migrated callers are unaffected. A follow-up will cover the remaining reasons and then tightenreasonCodeto required on the backend.Known deferred gate: "Verify a newly added contact method" (
ContactMethodDetailsPage) is avalidate_account-semantics email that this PR leaves on the generic fallback. It callsrequestContactMethodValidateCode, which writes the separateREQUEST_CONTACT_METHOD_VALIDATE_CODEcommand — a different command/param type than theRESEND_VALIDATE_CODE/REQUEST_NEW_VALIDATE_CODEpaths this PR plumbs. Carrying a reason there requires plumbing that third command, deferred to the follow-up.Fixed Issues
$ https://github.com/Expensify/Expensify/issues/623748
PROPOSAL:
Tests
1.
sign_in— login via magic code (resend)BaseValidateCodeForm).2.
sign_in— SSO "Use magic code"ChooseSSOOrMagicCode).3.
add_contact_method— add a new contact method4.
validate_account— validate the newly-added contact method5.
reveal_card_details— virtual Expensify cardNNNNmatches the last four of the card.6.
reveal_card_details— Travel CVV7.
validate_account— account-level gate viaVerifyAccountPageBase(represented by Enable 2FA)Every account-level gate in the coverage note routes through
VerifyAccountPageBase, so this one case represents all 15. 2FA is the easiest to reach.settings/security/delegate/verify-account) and confirm identical copy, proving the shared path.8.
validate_account— onboarding private domain (BaseOnboardingPrivateDomain)This page only renders during onboarding when the account is on a private domain that already has at least one accessible workspace, and of course if the account is unvalidated. That's tricky because if the domain is validated, App will challenge you for a magic code at signin time because your account is considered domainControlled. So you need a private domain that is not validated but you can actually receive emails to.
Offline tests
None
QA Steps
Same as tests
PR Author Checklist
### Fixed Issuessection aboveTestssectionOffline stepssectionQA stepssectionAvatar, I verified the components usingAvatarare working as expected)StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))npm run compress-svg)Avataris modified, I verified thatAvataris working as expected in all cases)Designlabel and/or tagged@Expensify/designso the design team can review the changes.mainbranch was merged into this PR after a review, I tested again and verified the outcome was still expected according to theTeststeps.Screenshots/Videos
All tests were re-performed today, 2026-07-15
1. Sign in
reasonCode.app.revert.1.sign.in.mp4
2. sign in on SSO enabled domain
reasonCode.app.revert.2.sso.sign.in.mp4
3. add contact method gate
reasonCode.app.revert.3.add_contact_method.mp4
4. validate newly added contact method
reasonCode.app.revert.4.validate_account.mp4
5. reveal card details
reasonCode.app.revert.5.reveal_card_details.mp4
6. reveal travel CVV
Note that this one isn't really testable in dev, but it's enough to check the notification in the db and that the form doesn't immediately reject the validate code
reasonCode.app.revert.6.travel.cvv.mp4
7. unverified account validation gate
reasonCode.app.revert.7.validation.gate.mp4
8. private domain onboarding
reasonCode.app.revert.8.private.domain.onboarding.mp4