[HOLD for payment 2024-12-03] Add a step to to Request Physical Card form that collects a magic code

[NikkiWines]

Problem

Someone can issue a physical or virtual Expensify card without verifying they are the owner of the account. This relates to an internal security issue.

Why this is important to solve

This is a security vulnerability that can be taken advantage of if an account is compromised.

Solution

Collect a magic code when requesting a physical Expensify card. In a little more detail:

• The API command to be updated is here
• It should have a new parameter called validateCode that is passed to the server
• In order to do this, anything callling BaseGetPhysicalCard needs a new step to gather a magic code from the user (we should have existing components that can be reused for this)

Issue Owner

Current Issue Owner: @sakluger

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @situchan (External)

[melvin-bot]

Triggered auto assignment to @sakluger (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[NikkiWines]

cc: @mountiny, sounds like from this we're still working on the re-usable component for requesting a validateCode, is that correct?

[hungvu193]

Not sure why I'm getting notification for this issue but yeah we have an issue for this kind of flow. It's being worked on by @getusha in #49445.

[mountiny]

correct, @getusha is working on the reusable component here #49445

[sakluger]

Should we assign @getusha to this issue, or is this issue a duplicate, or do we still need someone else for this one?

[mountiny]

I think we can, or @hungvu193 do you want to take on the implementation here?

[hungvu193]

Ok, I can take it.

[mountiny]

Happy to help as CME

[hungvu193]

Draft PR is here. It's based on #49445 so I will wait for #49445 to be merged.

[mountiny]

Not overdue

[mountiny]

The PR was merged, can you sync up with main and make the PR ready for a review @hungvu193? Thank you!

[hungvu193]

Sure thing. Also @NikkiWines I noticed that currently we can pass any validate code and BE still returns success response. I think we still need to update BE right?

[NikkiWines]

Yep, there's a backend change in the works, it's the last thing we'll update though so as to not break any front-end flows that still need changing

[hungvu193]

Cool. I merged FE's PR with main, it's basically ready, only handling error left.

[melvin-bot]

@sakluger, @hungvu193, @mountiny, @situchan Whoops! This issue is 2 days overdue. Let's get this updated quick!

[situchan]

Not overdue

[hungvu193]

Please let me know when BE is ready so I can update the FE's PR @NikkiWines

[NikkiWines]

Will do! We're waiting on another PR but it's in the works

[NikkiWines]

Ok, BE PR is ready, but let's get https://github.com/Expensify/App/pull/51135 reviewed and merged first so that we're passing the validateCode and the flow isn't disrupted by having the BE changes go live.

[situchan]

Please reassign another C+ as I'll be OOO

[dominictb]

I can take over this as per Slack discussion.

cc @mountiny

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 9.0.66-8 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Feat: Add a step to to Request Physical Card form that collects a magic code #51135

If no regressions arise, payment will be issued on 2024-12-03. 🎊

For reference, here are some details about the assignees on this issue:

• @hungvu193 requires payment through NewDot Manual Requests
• @dominictb requires payment (Needs manual offer from BZ)

[melvin-bot]

@hungvu193 / @dominictb @sakluger @hungvu193 / @dominictb The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed. Please copy/paste the BugZero Checklist from here into a new comment on this GH and complete it. If you have the K2 extension, you can simply click: [this button]

[dominictb]

BugZero Checklist:

• [Contributor] Classify the bug:

Bug classification

Source of bug:

• 1a. Result of the original design (eg. a case wasn't considered)
• 1b. Mistake during implementation
• 1c. Backend bug
• 1z. Other: New feature

Where bug was reported:

• 2a. Reported on production
• 2b. Reported on staging (deploy blocker)
• 2c. Reported on both staging and production
• 2d. Reported on a PR
• 2z. Other:

Who reported the bug:

• 3a. Expensify user
• 3b. Expensify employee
• 3c. Contributor
• 3d. QA
• 3z. Other:

• [Contributor] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake.

  Link to comment: NA

• [Contributor] If the regression was CRITICAL (e.g. interrupts a core flow) A discussion in #expensify-open-source has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner.

  Link to discussion: NA

• [Contributor] If it was decided to create a regression test for the bug, please propose the regression test steps using the template below to ensure the same bug will not reach production again.

• [BugZero Assignee] Create a GH issue for creating/updating the regression test once above steps have been agreed upon.

  Link to issue:

Regression Test Proposal

Precondition:

• User is assigned a physical card.

Test:

1. Log into an account with a physical card assigned
2. Go to your Settings => Wallet.
3. Click on your Physical card => Issue card.
4. Enter all necessary information => Press Ship card.
5. Verify that there's modal that allow you to enter magic code.
6. Enter the magic code that's been sent to your login.
7. Verify that you can continue with the flow after that.

Do we agree 👍 or 👎

[sakluger]

@dominictb I sent you an offer through Upwork: https://www.upwork.com/nx/wm/offer/105165129

[melvin-bot]

Payment Summary

Upwork Job

• Reviewer: @hungvu193 owed $250 via NewDot
• ROLE: @dominictb paid $250 via Upwork (https://www.upwork.com/nx/wm/offer/105165129)

BugZero Checklist (@sakluger)

• I have verified the correct assignees and roles are listed above and updated the neccesary manual offers
• I have verified that there are no duplicate or incorrect contracts on Upwork for this job (https://www.upwork.com/ab/applicants//hired)
• I have paid out the Upwork contracts or cancelled the ones that are incorrect
• I have verified the payment summary above is correct

[sakluger]

@hungvu193 please request payment using the payment summary comment above.

[garrettmknight]

$250 approved for @hungvu193