Use POST for SAML login #52658
Use POST for SAML login #52658
Conversation
|
Appears to be failing on an unrelated tyepscript check error - but should be ready for review |
melvin-bot
bot
requested review from
MariaHCD
and removed request for
a team
src/libs/LoginUtils.ts
Outdated
| } | ||
| return response.json() as Promise<Response>; | ||
| }) | ||
| .then((response) => response); |
There was a problem hiding this comment.
Do we need this second .then()? Can we return the json in the previous .then() 🤔
There was a problem hiding this comment.
Yeah, at least from my testing we need both - I also followed the convention from here
There was a problem hiding this comment.
What's the convention in this case? I don't see .then((response) => response); in the linked code, and was also wondering about this because this line looks like no-op
There was a problem hiding this comment.
looks like this is actually fine without - removing!
| return fetch(CONFIG.EXPENSIFY.SAML_URL, { | ||
| method: CONST.NETWORK.METHOD.POST, | ||
| body, | ||
| credentials: 'omit', |
There was a problem hiding this comment.
Just curious - why are we setting credentials:omit here?
There was a problem hiding this comment.
Following the convention used here - I can test without it but figured it was safest to go with logic we already knew worked.
| } | ||
|
|
||
| const body = new FormData(); | ||
| body.append('email', credentials?.login ?? ''); |
There was a problem hiding this comment.
What happens if email is set as an empty string?
There was a problem hiding this comment.
I think rn the iDP page fails to load so they get stuck on the loading screen, i'll update the logic to return early if there's no login to pass.
| Navigation.navigate(ROUTES.HOME); | ||
|
|
||
| Navigation.isNavigationReady().then(() => { | ||
| // We must call goBack() to remove the /transition route from history |
There was a problem hiding this comment.
Just curious - where is this transition route set? Is it only from OldDot -> NewDot?
There was a problem hiding this comment.
Yeah OldDot -> NewDot - here
Co-authored-by: Maria D'Costa <[email protected]>
Screenshots🔲 iOS / native11.01.2025_02.54.01_REC.mp4🔲 iOS / SafariCORS error 🔲 MacOS / Desktop11.01.2025_02.42.10_REC.mp4🔲 MacOS / Chrome401987740-33c990b7-972c-4a13-a465-fa60d7f928ec.mp4🔲 Android / ChromeCORS error 🔲 Android / native11.01.2025_02.52.02_REC.mp4 |
|
@NikkiWines I noticed that even on native dev apps the redirection does not happen to app, after login, user is redirected to oldDot website in the opened webview instead of going back to app. Is this expected? |
|
Yeah, it's expected because of the same reason (cookies not persisting). I experience the same behavior on |
|
Ok, great. @NikkiWines Could you please run adHoc build so I can try to see this in action? I believe it should work fine on ad-hoc build. |
|
🚧 @NikkiWines has triggered a test build. You can view the workflow run here. |
|
🧪🧪 Use the links below to test this adhoc build on Android, iOS, Desktop, and Web. Happy testing! 🧪🧪 |
|
I'm not sure the ad-hoc build will actually resolve the testing issue you're having @parasharrajat. However, we should be able to confirm this flow works on staging |
|
Yeah, it behaves the same. I am approving the checklist. |
There was a problem hiding this comment.
Reviewer Checklist
- I have verified the author checklist is complete (all boxes are checked off).
- I verified the correct issue is linked in the
### Fixed Issuessection above - I verified testing steps are clear and they cover the changes made in this PR
- I verified the steps for local testing are in the
Testssection - I verified the steps for Staging and/or Production testing are in the
QA stepssection - I verified the steps cover any possible failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
- I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
- I verified the steps for local testing are in the
- I checked that screenshots or videos are included for tests on all platforms
- I included screenshots or videos for tests on all platforms
- I verified tests pass on all platforms & I tested again on:
- Android: Native
- Android: mWeb Chrome
- iOS: Native
- iOS: mWeb Safari
- MacOS: Chrome / Safari
- MacOS: Desktop
- If there are any errors in the console that are unrelated to this PR, I either fixed them (preferred) or linked to where I reported them in Slack
- I verified proper code patterns were followed (see Reviewing the code)
- I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e.
toggleReportand notonIconClick). - I verified that the left part of a conditional rendering a React component is a boolean and NOT a string, e.g.
myBool && <MyComponent />. - I verified that comments were added to code that is not self explanatory
- I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
- I verified any copy / text shown in the product is localized by adding it to
src/languages/*files and using the translation method - I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
- I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is approved by marketing by adding the
Waiting for Copylabel for a copy review on the original GH to get the correct copy. - I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
- I verified the JSDocs style guidelines (in
STYLE.md) were followed
- I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e.
- If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
- I verified that this PR follows the guidelines as stated in the Review Guidelines
- I verified other components that can be impacted by these changes have been tested, and I retested again (i.e. if the PR modifies a shared library or component like
Avatar, I verified the components usingAvatarhave been tested & I retested again) - I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
- I verified any variables that can be defined as constants (ie. in CONST.js or at the top of the file that uses the constant) are defined as such
- If a new component is created I verified that:
- A similar component doesn't exist in the codebase
- All props are defined accurately and each prop has a
/** comment above it */ - The file is named correctly
- The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
- The only data being stored in the state is data necessary for rendering and nothing else
- For Class Components, any internal methods passed to components event handlers are bound to
thisproperly so there are no scoping issues (i.e. foronClick={this.submit}the methodthis.submitshould be bound tothisin the constructor) - Any internal methods bound to
thisare necessary to be bound (i.e. avoidthis.submit = this.submit.bind(this);ifthis.submitis never passed to a component event handler likeonClick) - All JSX used for rendering exists in the render method
- The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
- If any new file was added I verified that:
- The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
- If a new CSS style is added I verified that:
- A similar style doesn't already exist
- The style can't be created with an existing StyleUtils function (i.e.
StyleUtils.getBackgroundAndBorderStyle(theme.componentBG)
- If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
- If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like
Avataris modified, I verified thatAvataris working as expected in all cases) - If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
- If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
- If the PR modifies the form input styles:
- I verified that all the inputs inside a form are aligned with each other.
- I added
Designlabel so the design team can review the changes.
- If a new page is added, I verified it's using the
ScrollViewcomponent to make it scrollable when more elements are added to the page. - If the
mainbranch was merged into this PR after a review, I tested again and verified the outcome was still expected according to theTeststeps. - I have checked off every checkbox in the PR reviewer checklist, including those that don't apply to this PR.
🎀 👀 🎀 C+ reviewed
|
@MonilBhavsar Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button] |
|
🎯 @parasharrajat, thanks for reviewing and testing this PR! 🎉 An E/App issue has been created to issue payment here: #55200. |
|
Gonna merge since everyone's signed off on this one 👍 |
|
✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release. |
|
I can review today, but don't block on me |
|
Oh I'm already late haha, my page hadn't refreshed |
|
🚀 Deployed to staging by https://github.com/NikkiWines in version: 9.0.87-0 🚀
|
|
Hmm, tested this on staging and got intermittent behavior. I captured a case where we successfully redirected back to newDot but then in the next test the behavior is not redirecting back to newDot / the cookie is not being persisted according to the logs 🤔 Does not redirect correctly Screen.Recording.2025-01-17.at.18.56.35.movRedirects correctly Screen.Recording.2025-01-17.at.19.06.24.movThat it's not consistent makes me think maybe we should revert this and figure out some way to persist the origin of the request in a more robust way. I'm really not sure why these changes would've impacted things since the callback logic is entirely unchanged but the behavior is consistent with the redirects on prod, and when I tested yesterday before this had been deployed the redirect was also consistent |
|
I'm going to prep a revert PR just in case, but I think we have a possible backend fix to persist the origin to the request more robustly. If the ends up needing to be fully reverted on Monday we can go from there. |
|
Retested this again and it's still not reliable so going to merge the revert for this (😢) and continue to investigate it. |
|
🚀 Deployed to production by https://github.com/Beamanator in version: 9.0.87-3 🚀
|
Explanation of Change
Updates the SAML login flow to use a POST request instead of opening a user-modifiable URL
Dependant on https://github.com/Expensify/Web-Expensify/pull/44462
Fixed Issues
$ Tied to https://github.com/Expensify/Expensify/issues/424196
PROPOSAL: N/A
Tests
(Internal)
Success Flow
Use Single Sign OnoptionError Flow
try{here:throw new ExpException('An error occurred while loggin in, please try again.', 403);Use Single Sign OnoptionAn error occurred while loggin in, please try again.Notes for dev testing:
For the newDot redirect to work locally you may need to hardcode the following value to
true.For mobile testing, you will need to change the url in OneLogin's Expensidev application to your ngrok url instead of
https:://www.expensify.com.dev/so that it loads correctly on the simulators. You can do that by loggin into OneLogin (using carlos@ or dbondy@ creds in 1Pass), going to Administration > Left Hamburger Menu > Applications > Applications > Expensidev Connection > Configuration and updating the urls inACS (Consumer) URL ValidatorandACS (Consumer) URLLastly, for Android mWeb, if you use
127.0.0.1:8082/for your newDot URL, you'll need to update the usage ofURL_TO_NEWDOThere to use that URL instead.(External)
Use Single Sign OnoptionOffline tests
N/A SAML is not supported offline
QA Steps
Log into New Expensify with the email [email protected]
Choose
Use Single Sign OnoptionConfirm you briefly see an interstitial page about launching your SSO provider's login portal
Enter the SSO credentials for [email protected] (in 1password under
QA OneLogin)Confirm you're redirected back to New Expensify and are logged into your account
PR Author Checklist
### Fixed Issuessection aboveTestssectionOffline stepssectionQA stepssectiontoggleReportand notonIconClick)src/languages/*files and using the translation methodSTYLE.md) were followedAvatar, I verified the components usingAvatarare working as expected)StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))Avataris modified, I verified thatAvataris working as expected in all cases)Designlabel and/or tagged@Expensify/designso the design team can review the changes.ScrollViewcomponent to make it scrollable when more elements are added to the page.mainbranch was merged into this PR after a review, I tested again and verified the outcome was still expected according to theTeststeps.Screenshots/Videos
Android: Native
Error:
Screen.Recording.2024-11-28.at.18.19.42.mov
Success:
android.success.mov
Android: mWeb Chrome
Error:
mweb.android.failure.mov
Success:
android.mweb.success.mov
iOS: Native
Error:
ios.error.mp4
Success:
ios.success.mp4
iOS: mWeb Safari
Error:
ios.mweb.error.mp4
Success:
ios.mweb.success.mp4
MacOS: Chrome / Safari
Error:
web.error.mov
Success:
web.success.mov
MacOS: Desktop
Error:
desktop.error.mov
Success:
desktop.success.mov