Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HOLD for payment 2024-06-28] [HOLD for payment 2024-06-20][$250] Room-User is allowed to invite via mentions invalid number. #41078

Closed
3 of 6 tasks
izarutskaya opened this issue Apr 26, 2024 · 70 comments
Assignees
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. External Added to denote the issue can be worked on by a contributor Weekly KSv2

Comments

@izarutskaya
Copy link

izarutskaya commented Apr 26, 2024

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!


Version Number: 1.4.66-0
Reproducible in staging?: Y
Reproducible in production?: Y
If this was caught during regression testing, add the test name, ID and link from TestRail: https://expensify.testrail.io/index.php?/tests/view/4513241
Logs: https://stackoverflow.com/c/expensify/questions/4856
Issue reported by: Applause-Internal team

Action Performed:

  1. Go to https://staging.new.expensify.com/home
  2. Tap on a room report
  3. Enter @+91 and send the message
  4. Tap invite
  5. Note invited message
  6. Tap header--members---invite
  7. Enter +91
  8. Note no options to select and invite the contact is shown

Expected Result:

User must not be allowed to invite via mentions invalid number.

Actual Result:

User is allowed to invite via mentions invalid number.
Tapping header -- members -- invite, user unable to invite +91 but via mentions can invite.

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
  • MacOS: Desktop

Screenshots/Videos

Bug6462540_1714115844874.mev.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit
  • Upwork Job URL: https://www.upwork.com/jobs/~01cdf72ac69795bc85
  • Upwork Job ID: 1784976134411239424
  • Last Price Increase: 2024-05-09
  • Automatic offers:
    • hungvu193 | Reviewer | 0
    • nkdengineer | Contributor | 0
Issue OwnerCurrent Issue Owner: @
Issue OwnerCurrent Issue Owner: @lschurr
@izarutskaya izarutskaya added Daily KSv2 Bug Something is broken. Auto assigns a BugZero manager. labels Apr 26, 2024
Copy link

melvin-bot bot commented Apr 26, 2024

Triggered auto assignment to @lschurr (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

@izarutskaya
Copy link
Author

We think this issue might be related to the #vip-vsb.

@melvin-bot melvin-bot bot added the Overdue label Apr 29, 2024
@lschurr lschurr added the External Added to denote the issue can be worked on by a contributor label Apr 29, 2024
@melvin-bot melvin-bot bot changed the title Room-User is allowed to invite via mentions invalid number. [$250] Room-User is allowed to invite via mentions invalid number. Apr 29, 2024
Copy link

melvin-bot bot commented Apr 29, 2024

Job added to Upwork: https://www.upwork.com/jobs/~01cdf72ac69795bc85

@melvin-bot melvin-bot bot added the Help Wanted Apply this label when an issue is open to proposals by contributors label Apr 29, 2024
Copy link

melvin-bot bot commented Apr 29, 2024

Triggered auto assignment to Contributor-plus team member for initial proposal review - @hungvu193 (External)

@melvin-bot melvin-bot bot removed the Overdue label Apr 29, 2024
@hungvu193
Copy link
Contributor

hungvu193 commented May 1, 2024

@lschurr I want to discuss about the expected behavior here. In this case, when we sent an invalid phone number, the whisper message shouldn't be displayed or it's displayed but we can't click the Invite button?

@lschurr
Copy link
Contributor

lschurr commented May 1, 2024

I'm not 100% sure - Would you mind starting a Slack thread to discuss @hungvu193?

@hungvu193
Copy link
Contributor

@hungvu193
Copy link
Contributor

hungvu193 commented May 2, 2024

Coming from Slack, I think we should handle this issue from BE (BE won't send the whisper action if that's invalid mention), @lschurr can you please add the Internal label?

@lschurr lschurr added Internal Requires API changes or must be handled by Expensify staff and removed External Added to denote the issue can be worked on by a contributor labels May 2, 2024
Copy link

melvin-bot bot commented May 2, 2024

Current assignee @hungvu193 is eligible for the Internal assigner, not assigning anyone new.

@melvin-bot melvin-bot bot added the Overdue label May 6, 2024
@lschurr
Copy link
Contributor

lschurr commented May 6, 2024

Asked in the Slack thread about best ways to move forward here. I think we need an Eng volunteer to assign this to.

@melvin-bot melvin-bot bot removed the Overdue label May 6, 2024
@lschurr lschurr added the Hot Pick Ready for an engineer to pick up and run with label May 7, 2024
@blimpich blimpich self-assigned this May 7, 2024
@blimpich blimpich removed the Hot Pick Ready for an engineer to pick up and run with label May 7, 2024
@blimpich
Copy link
Contributor

blimpich commented May 7, 2024

I'll pick this up, I think it'll be a quick fix.

@blimpich blimpich removed the Help Wanted Apply this label when an issue is open to proposals by contributors label May 7, 2024
@blimpich
Copy link
Contributor

blimpich commented May 7, 2024

Notes for myself:

Looks like we have a couple ways in Web for validating a phone number, though we should probably only have 1. We also have ways of validating it from the client; one way to validate it is via a command called IsValidPhoneNumber (which doesn't appear to be used ever in App) but we also have ways that leverage other libraries as shown here. Auth doesn't seem to have methods for validating phone numbers, which seems odd to me.

Another funny thing is that we also seem to be making accounts for these invalid phone numbers. Like when you comment @+91 it actually creates an account with the username +91@expensify.sms, even though we would reject making that account if a user tried to sign up with it. Not sure if we care about that or not. We probably don't care.

It seems like this will be easiest to fix in Web. But that may be problematic because I think these actionable mention whispers are made in Auth. We may need to port over our TwilioUtils.php file to Auth, or at least partly port it. That would take a little bit of time. But I think that would be the "best" solution since a Web solution will probably end up being quite hacky. Those are my thoughts after doing an initial inspection.

Will return to this tomorrow.

@blimpich
Copy link
Contributor

blimpich commented May 8, 2024

Ugh, this is more complicated than expected. Twilio uses the E164 format as their standard for what is and isn't a valid phone number, but this standard actually doesn't have a minimum number of digits necessary for it to be valid. See https://www.twilio.com/docs/api/errors/21211. This means that I don't think we can actually say that these phone numbers are invalid.

So, technically, +91 is a valid phone number. And if you can believe it, according to the leading SMS api in the world, even + is a valid phone number. Kinda ridiculous.

I tested this by directing hitting Twilio's api using our own TwilioUtils->isValidPhoneNumber method in Web-Expensify
Screenshot 2024-05-08 at 1 52 36 PM.

But we don't allow numbers like that to make accounts! If you type +94 into the login page it'll tell you that's not a valid number!
Screenshot 2024-05-08 at 2 48 37 PM
The reason is because we use the awesome-phonenumber npm package to partly validate our phone numbers. And for some reason it seems to understand that +94 is not a valid phone number, probably due to a very long if/else chain checking country code against phone number length. For example, Sweden only has to have 7 digits in their phone numbers (source).

Funnily enough this package is actually based off a C++ package from Google called libphonenumber. So we could download that into our C++ layer and start using that, but this is getting a little ridiculous.

Copy link

melvin-bot bot commented Jun 11, 2024

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

  • [@hungvu193] The PR that introduced the bug has been identified. Link to the PR:
  • [@hungvu193] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
  • [@hungvu193] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
  • [@hungvu193] Determine if we should create a regression test for this bug.
  • [@hungvu193] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
  • [@lschurr] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

@hungvu193
Copy link
Contributor

  • The PR that introduced the bug has been identified. Link to the PR: No offending PR
  • The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment: N/A
  • A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion: N/A
  • Determine if we should create a regression test for this bug.

We don't need regression test for this one imo, this was how our markdown worked, we can treat this issue as a improvement.

@nkdengineer
Copy link
Contributor

@hungvu193 The PR to bump Expensify-common in live-markdown here

@nkdengineer
Copy link
Contributor

@hungvu193 The App PR is here.

@melvin-bot melvin-bot bot added Weekly KSv2 and removed Weekly KSv2 labels Jun 13, 2024
@melvin-bot melvin-bot bot changed the title [HOLD for payment 2024-06-18] [$250] Room-User is allowed to invite via mentions invalid number. [HOLD for payment 2024-06-20] [HOLD for payment 2024-06-18] [$250] Room-User is allowed to invite via mentions invalid number. Jun 13, 2024
@melvin-bot melvin-bot bot removed the Reviewing Has a PR in review label Jun 13, 2024
Copy link

melvin-bot bot commented Jun 13, 2024

Reviewing label has been removed, please complete the "BugZero Checklist".

Copy link

melvin-bot bot commented Jun 13, 2024

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.4.82-4 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

If no regressions arise, payment will be issued on 2024-06-20. 🎊

For reference, here are some details about the assignees on this issue:

Copy link

melvin-bot bot commented Jun 13, 2024

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

  • [@hungvu193] The PR that introduced the bug has been identified. Link to the PR:
  • [@hungvu193] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
  • [@hungvu193] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
  • [@hungvu193] Determine if we should create a regression test for this bug.
  • [@hungvu193] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
  • [@lschurr] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

@lschurr lschurr changed the title [HOLD for payment 2024-06-20] [HOLD for payment 2024-06-18] [$250] Room-User is allowed to invite via mentions invalid number. [HOLD for payment 2024-06-20][$250] Room-User is allowed to invite via mentions invalid number. Jun 13, 2024
@melvin-bot melvin-bot bot added Daily KSv2 and removed Weekly KSv2 labels Jun 18, 2024
Copy link

melvin-bot bot commented Jun 20, 2024

⚠️ Looks like this issue was linked to a Deploy Blocker here

If you are the assigned CME please investigate whether the linked PR caused a regression and leave a comment with the results.

If a regression has occurred and you are the assigned CM follow the instructions here.

If this regression could have been avoided please consider also proposing a recommendation to the PR checklist so that we can avoid it in the future.

@lschurr
Copy link
Contributor

lschurr commented Jun 20, 2024

Payment summary:

@lschurr
Copy link
Contributor

lschurr commented Jun 20, 2024

Do we need to leave this open for the Deploy Blocker message? #41078 (comment)

@nkdengineer @hungvu193

@nkdengineer
Copy link
Contributor

It's not a blocker from our PR here. Ref: #44085 (comment).

@lschurr
Copy link
Contributor

lschurr commented Jun 20, 2024

Great! Closing this one out since it's paid.

@lschurr lschurr closed this as completed Jun 20, 2024
@melvin-bot melvin-bot bot added Weekly KSv2 and removed Daily KSv2 labels Jun 21, 2024
@melvin-bot melvin-bot bot changed the title [HOLD for payment 2024-06-20][$250] Room-User is allowed to invite via mentions invalid number. [HOLD for payment 2024-06-28] [HOLD for payment 2024-06-20][$250] Room-User is allowed to invite via mentions invalid number. Jun 21, 2024
Copy link

melvin-bot bot commented Jun 21, 2024

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.4.85-7 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

If no regressions arise, payment will be issued on 2024-06-28. 🎊

For reference, here are some details about the assignees on this issue:

Copy link

melvin-bot bot commented Jun 21, 2024

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

  • [@hungvu193] The PR that introduced the bug has been identified. Link to the PR:
  • [@hungvu193] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
  • [@hungvu193] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
  • [@hungvu193] Determine if we should create a regression test for this bug.
  • [@hungvu193] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
  • [@lschurr] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. External Added to denote the issue can be worked on by a contributor Weekly KSv2
Projects
No open projects
Archived in project
Development

No branches or pull requests

7 participants