Fix: Prevent users from signing up with ineligible TLD#84842
Conversation
Codecov Report✅ Changes either increased or maintained existing code coverage, great job!
|
|
@bernhardoj Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button] |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3b8cbd2e41
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| const parsedPhoneNumber = parsePhoneNumber(phoneLogin); | ||
|
|
||
| if (!Str.isValidEmail(loginTrim) && !parsedPhoneNumber.possible) { | ||
| if (!isValidEmailWithTLD(loginTrim) && !parsedPhoneNumber.possible) { |
There was a problem hiding this comment.
Allow legacy non-IANA email accounts to sign in
This validation now runs before every beginSignIn call on the shared login/signup form, so any pre-existing account whose email uses a TLD that is no longer accepted (for example, accounts created before this fix with .con) is blocked client-side and can never request a sign-in code. That makes this a sign-in regression whenever such legacy accounts exist, so the stricter TLD check should be limited to account-creation flow (or applied after backend account-existence checks) rather than unconditional login validation.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
@bernhardoj Do you think we should consider this concern? The SignUpUser API already handles the invalid TLD case, so I'm not sure whether an account with an invalid TLD could exist in the first place
MacOS-Chrome-2.mp4
Alternatively, we could show the error immediately after clicking the Continue button and disable the Join button afterwards
MacOS-Chrome.mp4
Let me know what you think
There was a problem hiding this comment.
Oh, I just noticed the BE now returns the error and is shown on the sign-up page.
@fukawi2 I think we don't need FE validation then?
There was a problem hiding this comment.
Page 1 Page 2
[login input] => (Join)
When we press Join, BE already returns the error that the email domain is invalid. This PR adds a FE validation on the 1st page that prevents the user to go next if the email domain is invalid. Do we need the FE validation?
cc: @fukawi2
There was a problem hiding this comment.
Bumped on Slack, if I'm not hearing anything, we can proceed with this.
There was a problem hiding this comment.
Responded in slack to align more quickly there
joekaufmanexpensify
left a comment
There was a problem hiding this comment.
Good for product
|
@nyomanjyotisa please merge with main and fix the conflict |
|
@bernhardoj Sure, I've updated the PR |
Reviewer Checklist
Screenshots/VideosAndroid: HybridAppAndroid: mWeb ChromeiOS: HybridAppiOS: mWeb SafariMacOS: Chrome / Safariweb.mp4 |
|
✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release. |
|
🚧 @luacmartins has triggered a test Expensify/App build. You can view the workflow run here. |
|
🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
|
|
🚀 Deployed to staging by https://github.com/luacmartins in version: 9.3.49-0 🚀
Bundle Size Analysis (Sentry): |
|
🚀 Deployed to production by https://github.com/grgia in version: 9.3.49-2 🚀
|
Explanation of Change
Prevent users from signing up with invalid TLD (Top-Level Domain) by validating the TLD using
VALID_TLD_REGEX, so emails likeuser@gmail.conare rejectedFixed Issues
$ #84619
PROPOSAL: #84619 (comment)
Tests
Same as QA Steps
Offline tests
Same as QA Steps
QA Steps
user@gmail.conPR Author Checklist
### Fixed Issuessection aboveTestssectionOffline stepssectionQA stepssectiontoggleReportand notonIconClick)src/languages/*files and using the translation methodSTYLE.md) were followedAvatar, I verified the components usingAvatarare working as expected)StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))npm run compress-svg)Avataris modified, I verified thatAvataris working as expected in all cases)Designlabel and/or tagged@Expensify/designso the design team can review the changes.ScrollViewcomponent to make it scrollable when more elements are added to the page.mainbranch was merged into this PR after a review, I tested again and verified the outcome was still expected according to theTeststeps.Screenshots/Videos
Android: Native
Android-Native.mp4
Android: mWeb Chrome
Android-mWeb.Chrome.mp4
iOS: Native
iOS-Native.mp4
iOS: mWeb Safari
iOS-mWeb.Safari.mp4
MacOS: Chrome / Safari
MacOS-Chrome.mp4