Web - User can access Two-factor authentication (Step 2: Verify) without copying the code, resulting in an empty code being displayed with copy button

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. Go to Settings > Security > Two-factor authentication.
2. Click on the "Copy" button and proceed to the next step.
3. Copy the page URL and send it to a chat.
4. Open the link from the chat.
5. Observe that the user is able to open the page without copying the code, and an empty code is displayed on both pages.

Expected Result:

The user should not be able to access the Two-factor authentication page without copying the code. Alternatively, if the user opens the page from the chat without copying the code, copy button should not be displayed

Actual Result:

The user is able to access the Two-factor authentication (Step 2: Verify) page without copying the code, resulting in an empty code being displayed and also copy button displayed even code is empty

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.42-21
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

screen-recording-2023-07-19-at-21357-am_So6COR6Q.mp4

Recording.3767.mp4

Expensify/Expensify Issue URL:
Issue reported by: @ayazhussain79
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1689717017885469

View all open jobs on GitHub

[melvin-bot]

Triggered auto assignment to @slafortune (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[Ollyws]

Proposal

Please re-state the problem that we are trying to solve in this issue.

We can still access the 2fa pages when the 2fa data doesn't yet exist.

What is the root cause of that problem?

We request the 2fa data in SecuritySettingsPage, and we never check if the data exists before displaying the subsequent 2fa pages.

What changes do you think we should make in order to solve the problem?

We can wrap the content of VerifyPage in a FullPageNotFoundView then we can check for props.account.twoFactorAuthSecretKey as a condition of the shouldShow prop.
The same thing seems to happen in the CodesPage so we may also want to do the same thing there (except with props.account.recoveryCodes), or request the data in CodesPage, if it doesn't already exist.

What alternative solutions did you explore? (Optional)

None

[dukenv0307]

Proposal

Please re-state the problem that we are trying to solve in this issue.

User can access Two-factor authentication (Step 2: Verify) without copying the code, resulting in an empty code being displayed with copy button

What is the root cause of that problem?

We don't have a check in VerifyPage to go back to CodesPage if 2fa key is empty

What changes do you think we should make in order to solve the problem?

In VerifyPage we can add a useEffect to goBack to CodesPage if props.account.twoFactorAuthSecretKey is empty

useEffect(() => {
    if (props.account.twoFactorAuthCopyCodeButton) {
        return;
    }
    Navigation.goBack(ROUTES.SETTINGS_2FA_CODES);
}, [props.account.twoFactorAuthSecretKey])

And in CodesPage because sometimes we go to this page by deep link or goBack from another, we need to check if props.account.recoveryCodes is empty, we will call API to generate recoveryCodes

useEffect(() => {
    if (props.account.recoveryCodes) {
        return;
    }
    Session.toggleTwoFactorAuth(true);
}, [props.account.recoveryCodes])

What alternative solutions did you explore? (Optional)

NA

Result

Screencast.from.20-07-2023.10.30.57.webm

[bernhardoj]

It is being handled here #19496

[slafortune]

duplicate