[PM-27816] Not clearing the fingerprint on requests that don't return fingerprint on LoginWithDevice

[aj-rosado]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-27816

📔 Objective

Fingerprint should not be cleared when an error is thrown

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @aj-rosado's task —— View job

---

Review Complete

Overall Assessment: APPROVE

This is a well-executed bug fix that correctly preserves the fingerprint phrase during error states in the LoginWithDevice flow. The fix follows established patterns and includes comprehensive test updates.

---

Key Changes

• Replaces explicit Content state creation (with fingerprintPhrase = "") with updateContent helper
• Preserves existing fingerprint when handling Success, Error, and Expired results
• Updates all affected tests to expect persisted fingerprint instead of empty string

Technical Review

✓ Architecture Compliance

• Correct use of existing updateContent helper for partial state updates
• Follows MVVM pattern with proper StateFlow updates
• Maintains unidirectional data flow

✓ State Management

• Leverages immutable state updates via .update {}
• No mutable state violations
• State transitions are predictable

✓ Test Coverage

• All relevant test cases updated (10 test assertions modified)
• Tests validate fingerprint persistence across Success/Error scenarios
• No missing test coverage for the changed behavior

✓ Code Quality

• Reduces code duplication (removes repetitive Content state creation)
• More maintainable solution using existing helper pattern
• Clear intent: preserve state rather than reset it

---

Findings

💭 Finding 1: PR title could be clearer

Details

The current title "Not clearing the fingerprint on requests that don't return fingerprint" is slightly misleading - the requests DO contain the fingerprint in result.authRequest.fingerprint. The issue was that the code explicitly cleared it to empty string.

Suggested alternatives:

• "PM-27816 Preserve fingerprint phrase during LoginWithDevice errors"
• "PM-27816 Fix fingerprint being cleared on LoginWithDevice state transitions"

This is a minor documentation issue and doesn't affect the code quality.

💭 Finding 2: PR description could include verification details

Details

The PR description has a good objective but would benefit from:

• Test plan: Steps to reproduce the original bug and verify the fix
• Screenshots/recording: Visual confirmation that fingerprint persists during errors (helpful for reviewers and QA)

Example test plan:

1. Initiate LoginWithDevice flow
2. Note the fingerprint displayed
3. Trigger an error condition (e.g., network timeout)
4. Verify fingerprint remains visible in error dialog
5. Expected: Fingerprint matches original value
6. Actual (before fix): Fingerprint was cleared

This would align with the "Written new unit and / or integration tests where applicable" checklist item.

---

Positive Observations

• Clean refactoring that improves code quality while fixing the bug
• Excellent test discipline: all affected assertions updated
• Proper use of existing architectural patterns (updateContent helper)
• No security concerns (fingerprint is not sensitive data, serves as verification only)
• Behavioral improvement: users can compare fingerprint even after errors

---

Verdict: This PR successfully addresses the bug with a clean, pattern-consistent solution. The minor documentation suggestions are non-blocking improvements.

[github-actions]

Checkmarx One – Scan Summary & Details – 8055743f-06e7-4614-a0d5-bc09de7cec68

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.22%. Comparing base (7b491d3) to head (6f7b690).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6185      +/-   ##
==========================================
- Coverage   85.22%   85.22%   -0.01%     
==========================================
  Files         724      724              
  Lines       53014    53008       -6     
  Branches     7710     7710              
==========================================
- Hits        45181    45175       -6     
  Misses       5143     5143              
  Partials     2690     2690              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.