[hold for payment 2023-08-30] [$2000] Security - Copy button is displayed without any secret key when the 2FA step 2 page is accessed directly through URL #19496
Comments
kbecciv
added
Daily
|
Triggered auto assignment to @joekaufmanexpensify ( |
Bug0 Triage Checklist (Main S/O)
|
ProposalPlease re-state the problem that we are trying to solve in this issue.We want to regenerate recovery codes when the user visits the security codes page from verify codes page after refreshing the screen no the verify codes page. What is the root cause of that problem?Currently the recovery codes are only regenerating in the security settings screen when the 'two factor authentication' option is clicked. What changes do you think we should make in order to solve the problem?We should move the Additionally, we can check if the recovery code is already there and fetch new one accordingly if (!(props.account.recoveryCodes && props.account.twoFactorAuthSecretKey)) {
Session.toggleTwoFactorAuth(true);
}What alternative solutions did you explore? (Optional)N/A |
|
I can reproduce this on web. If I had to suspect why this happening, it's because typically when enabling 2FA, we require you to download or copy the recovery codes, before proceeding the step that has the secret key. Whereas by loading https://staging.new.expensify.com/settings/security/two-factor-auth/verify , the user is bypassing this required first step. IMO, the best solution would be to redirect the user to the first page of the 2FA flow (to copy/download their recovery codes), if they try and load https://staging.new.expensify.com/settings/security/two-factor-auth/verify directly, and have niot previously copied or downloaded their recovery codes. 2023-05-24_15-58-57.mp4 |
joekaufmanexpensify
added
External
melvin-bot
bot
changed the title
|
Job added to Upwork: https://www.upwork.com/jobs/~012f90e1d072b364da |
|
Current assignee @joekaufmanexpensify is eligible for the External assigner, not assigning anyone new. |
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @aimane-chnaif ( |
melvin-bot
bot
added
the
Help Wanted
|
Triggered auto assignment to @deetergp ( |
ProposalPlease re-state the problem that we are trying to solve in this issue.Copy button is displayed without any secret key when the 2FA step 2 page is accessed directly through URL What is the root cause of that problem?Its happening because user directly accessing What changes do you think we should make in order to solve the problem?I digged more into this.
We can create action like this. function checkAccessAndRedirectIfRequired() {
const currentRoute = ReportUtils.getRouteFromLink(Navigation.getActiveRoute()).substring(1);
const connectionID = Onyx.connect({
key: ONYXKEYS.ACCOUNT,
waitForCollectionCallback: true,
callback: (account) => {
Onyx.disconnect(connectionID);
if (!account) {
return;
}
const is2faEnabled = account.requiresTwoFactorAuth;
if (currentRoute === ROUTES.SETTINGS_2FA_CODES) {
if (is2faEnabled) return Navigation.navigate(ROUTES.SETTINGS_2FA_IS_ENABLED)
clearTwoFactorAuthData();
Session.toggleTwoFactorAuth(true);
return;
}
// just redirect to CODES page direct access should not be allowed
if (currentRoute === ROUTES.SETTINGS_2FA_VERIFY || currentRoute === ROUTES.SETTINGS_2FA_IS_ENABLED) {
if (!is2faEnabled) Navigation.navigate(ROUTES.SETTINGS_2FA_CODES)
}
... others handlers for page
}
});
}And have to use in ALL 2FA pages. will handle all edge cases. OLD understanding.We should redirect user to 1st step and toggle2FA. App/src/pages/settings/Security/TwoFactorAuth/VerifyPage.js Lines 54 to 59 in 6c23b16 Can add below this function. useEffect(() => {
if (props.account.recoveryCodes) {
return;
}
Navigation.navigate(ROUTES.SETTINGS_2FA_CODES)
}, [props.account.recoveryCodes])and in Session.toggleTwoFactorAuth(true); // we can use this in `useEffect`We are doing this so it will solve our #19628 Issue when user directly open this page. and can safely remove this line from here What alternative solutions did you explore? (Optional)None Videonewvid.mov |
|
Looks like something related to As a reminder, please make sure that all proposals are not workarounds and that any and all attempt to fix the issue holistically have been made before proceeding with a solution. Proposals to change our Feel free to drop a note in #expensify-open-source with any questions. |
ProposalPlease re-state the problem that we are trying to solve in this issue.Security - Copy button is displayed without any secret key when the 2FA step 2 page is accessed directly through URL What is the root cause of that problem?
=> That's reason why if we reload the Verify 2FA page or go to it by direct link, there is no recoveryCodes there. What changes do you think we should make in order to solve the problem?
|
|
@aimane-chnaif thoughts on these proposals? |
joekaufmanexpensify
added
Bug
|
Triggered auto assignment to @Christinadobrzyn ( |
This comment was marked as outdated.
This comment was marked as outdated.
|
Adding an additional assignee as I'm OOO next week (until June 5th). Next steps here is to make sure we get these proposals reviewed, and hopefully select one! |
|
I'd expect that you'd go back to the codes page. Do you agree @aimane-chnaif, @deetergp ? |
|
We originally discussed to go back to Settings when individual routes. |
|
So I've implemented it this way: |
|
Works for me |
|
I've opened the draft PR in the morning, it was reviewed by my teammates. It's almost ready to be opened, but I have some problems with my android emulator and can't record videos and retest it once again, but it should be working (as there's no android specific changes here). I'll try to fix it and hopefully I'll be able to attach the videos tomorrow |
|
Fixed the issue and added recordings for Android. PR opened: #23060 |
|
@aimane-chnaif bumping for re-review 🙂 |
|
PR got merged last week! |
|
Payment due here on 2023-08-30! |
joekaufmanexpensify
changed the title
|
Coming from #25518: |
|
@aimane-chnaif just to clarify, you mean i'll take over payment for the contract you accepted in the above issue, and just handle payment in this issue using that contract? If so, sounds good to me! |
yes exactly. Thanks |
|
Sounds good! |
|
It took a while to get this one merged, but we discussed here, and given the amount of effort involved in this issue, there will be no penalty. This means we need to issue the following payments:
|
|
Original upwork job closed, so I created a new one here to pay @adeel0202 . Separately, @sakluger got assigned a duplicate issue to pay @aimane-chnaif for their review in this issue and already hired them there, so we're going to use that job for the purposes of paying @aimane-chnaif. |
|
@adeel0202 offer sent for $250! |
Accepted, thanks. |
|
@adeel0202 $250 sent and contract ended! |
|
@aimane-chnaif $2,000 sent for the upwork contract you accepted in this issue, and contract ended. |
|
Closing as this one's all set. Thanks everyone! |
If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!
Action Performed:
Expected Result:
Here are how we want to handle all of the various cases related to this issue:
2FA is not enabled, and the user loads:
2FA is enabled, and the user loads:
Actual Result:
Copy button is there without any secret key shown.
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Version Number: 1.3.17.0
Reproducible in staging?: Yes
Reproducible in production?: yes
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation
Screen.Recording.2023-05-24.at.2.28.55.AM.1.mov
Expensify/Expensify Issue URL:
Issue reported by: @adeel0202
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1684420754597459
View all open jobs on GitHub
Upwork Automation - Do Not Edit
The text was updated successfully, but these errors were encountered: