Clicking on deep links on passwordless crashes the app

[thienlnam]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Platform:
iOS Staging / Android staging
Version : v1.2.96-0 (edited)

Action Performed:

Break down in numbered steps

1. Sign into a fresh account with passwordless enabled with 2FA enabled
2. Using the link on the email click on it on the same device.
3. It should deep link open the app

Expected Result:

Describe what you think should've happened
It should take you to the 2FA code prompt

Actual Result:

Describe what actually happened
Got the Uh-oh something went wrong! page.

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: v1.2.96-0
Reproducible in staging?: Y
Reproducible in production?: N
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation
Expensify/Expensify Issue URL:
Issue reported by: Internal @johnmlee101
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1680796507538369

View all open jobs on GitHub

[MelvinBot]

Triggered auto assignment to @johncschuster (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[MelvinBot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[OSBotify]

👋 Friendly reminder that deploy blockers are time-sensitive ⏱ issues! Check out the open StagingDeployCash deploy checklist to see the list of PRs included in this release, then work quickly to do one of the following:

1. Identify the pull request that introduced this issue and revert it.
2. Find someone who can quickly fix the issue.
3. Fix the issue yourself.

[MelvinBot]

Triggered auto assignment to @jasperhuangg (Engineering), see https://stackoverflow.com/c/expensify/questions/4319 for more details.

[jasperhuangg]

To clarify, deep links are still broken on iOS (they redirect you to the web browser, which shows you a screen telling you what the code is), so this issue should only be reproducible on Android at the moment.

[jasperhuangg]

Just reproduced on Android 👍 investigating

[jasperhuangg]

Hmm it seems deep links are broken on Android now too, I can't even use the link to deep link to the ValidateLogin page on a physical device

They seem to work with the staging build though.

[jasperhuangg]

lol wtf we're calling a function Session.signInWithValidateCodeAndNavigate

App/src/pages/ValidateLoginPage/index.js

Line 48 in d300d6e

Session.signInWithValidateCodeAndNavigate(accountID, validateCode);

but that function just straight up doesn't even exist in our Session.js lib... no wonder the App just crashes

[jasperhuangg]

I'm pretty confident my changes should fix the crash, but I'm unable to test them since I can't get deeplinking to work for me on Android

[jasperhuangg]

Deeplinking fix involves a few more changes that I haven't been able to finish testing, will keep at this tomorrow

[NikkiWines]

lol wtf we're calling a function Session.signInWithValidateCodeAndNavigate
but that function just straight up doesn't even exist in our Session.js lib... no wonder the App just crashes

:wat: that definitely used to exist, was introduced in #14443 - looking into when it got removed

[NikkiWines]

Aha, looks like it was removed in #15505 but somehow missed the usage in ValidateLoginPage/index.js? cc: @cristipaval

[johncschuster]

Hey friends! I'm OOO today. Do you need another non-engineer assigned to this?

[MelvinBot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[MelvinBot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.2.96-4 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Fix automatic authentication with magic link on mobile native #17141

If no regressions arise, payment will be issued on 2023-04-14. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[cristipaval]

@kbecciv , As I also asked here in Slack discussion, do we have separate regression tests for magick link handling on web vs on mobile native?

cc @johncschuster (this is meant to address the forth checkmark from above)

[MelvinBot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.2.97-2 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Fix automatic authentication with magic link on mobile native #17141

If no regressions arise, payment will be issued on 2023-04-17. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[MelvinBot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@cristipaval / @jasperhuangg] The PR that introduced the bug has been identified. Link to the PR: Error modal when signin from expired magic link #15505
• [@cristipaval / @jasperhuangg] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment: Error modal when signin from expired magic link #15505 (comment)
• [@cristipaval / @jasperhuangg] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion: here
• [@johncschuster] Determine if we should create a regression test for this bug.
• [@cristipaval / @jasperhuangg] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@johncschuster] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[jasperhuangg]

I don't think we need to add regression tests here, this was a bug that should have definitely been caught in review cc @cristipaval what do you think?

[cristipaval]

We do not have regression tests at all for Automatic Authentication. I will propose some regression tests for it today.

[cristipaval]

Regression Test Proposal

1. Start signing in for an account with 2fa disabled
2. Open the magic link in another tab and verify that you see the Abracadabra page
3. Sign out and start signing in for an account with 2fa enabled
4. Open the magic link in another tab and verify that you see the 2fa required page. Don't close this tab and go back to the initial one
5. Enter the 2fa code and go back to the tab where the magic link has been accessed. Verify that you see the Abracadabra page
6. Sign out and start to sign in again with an account with 2fa disabled
7. Open the magic link in another tab, BUT modify it to have a wrong code
8. Verify that you see the Expired code page. Tab on Resend code option and then click on the new magic link
9. Verify that you see the Abracadabra page
10. Open a magic link in a new tab on the same browser where you are authenticated
11. Verify that you see the modal with the magic code

cc @kavimuru

[cristipaval]

@dylanexpensify I see that you are the author of this amazing article. Do you mind checking my first regression test proposal?

[dylanexpensify]

Aha! Why thank you very much good sir!! Checking now!

[dylanexpensify]

Great RT @cristipaval! I updated it a bit to have each step be a bit more clear and succinct. I also left comments in parentheses for you to just make sure the steps are super clear!

1. Sign into an account with 2FA disabled
2. Open the magic link in a separate tab
3. Verify that you see the Abracadabra page
4. Sign out (in the tab opened in step 2? @cristipaval)
5. Sign into an account with 2FA enabled (in which tab?)
6. Open the magic link in a separate tab (3rd tab then?)
7. Verify that you see the 2FA required page. Keep this tab open.
8. Head back to the initial tab (from step 2 or step 6? Basically which tab)
9. Enter the 2FA code
10. Head back to the tab where the magic link has been accessed.
11. Verify that you see the Abracadabra page
12. Sign out
13. Sign in again with an account with 2FA disabled
14. Open the magic link in a separate tab, BUT modify it to have an incorrect 2FA code
15. Verify that you see the Expired code page.
16. Click on Resend code option
17. Click on the new magic link
18. Verify that you see the Abracadabra page
19. Open a magic link in a new tab on the same browser where you are authenticated
20. Verify that you see the modal with the magic code

[cristipaval]

Thank you @dylanexpensify ! Could you please check this one?

1. Sign into an account with 2FA disabled in tab1
2. Open the magic link in a separate tab2
3. Verify that you see the Abracadabra page in tab2
4. Close tab2
5. Verify that you are signed on tab1
6. Sign out from tab1
7. Sign into an account with 2FA enabled in tab1
8. Open the magic link in a separate tab3
9. Verify that you see the 2FA required page. Keep this tab3 open.
10. Head back to the initial tab1
11. Enter the 2FA code
12. Head back to tab3 where the magic link has been accessed.
13. Verify that you see the Abracadabra page
14. Close tab3
15. Verify that you are signed on tab1
16. Sign out again from tab1
17. Sign in again with an account with 2FA disabled in tab1
18. Open the magic link in a separate tab4, BUT modify it to have an incorrect 2FA code
19. Verify that you see the Expired code page in tab4
20. Click on Resend code option
21. Click on the new magic link
22. Verify that you see the Abracadabra page in tab4
23. Close tab4
24. Open a magic link in a new tab5 on the same browser where you are authenticated
25. Verify that you see the modal with the magic code

[MelvinBot]

@johncschuster @cristipaval @jasperhuangg this issue was created 2 weeks ago. Are we close to a solution? Let's make sure we're treating this as a top priority. Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!

[cristipaval]

Created an issue to update the regression test. Closing this one.