Fix forgot password functionality for validated logins

[Jag96]

Details

This PR fixes a deploy blocker and fixes the error mentioned in https://github.com/Expensify/App/pull/5218/files#r712306088. Note this PR does not implement the graceful handling of error messages and resending the validation link, it only fixes the issue preventing non-validated accounts to set a new password.

Fixed Issues

$ #5384

Tests

Run the tests from #5218 to confirm no regressions

1. Create an email using EmailOnDeck.
2. Create and validate the account via ./script/clitools.sh generator:account, then run ./script/clitools.sh generator:domain to generate a domain with it as its admin.
3. Create another email using EmailOnDeck. If you create the account in the same day it should have the same domain.
4. Add this account to the DEV_EMAILS const in _.config.local.php.
5. Use this account to sign up for NewDot (don't use any clitools scripts to validate the account). Then, run vssh php ./Web-Expensify/script/notifyall.php.
6. You should get an email in EmailOnDeck. Use the link in the email to set a password.
   • You might have to modify the link format, make sure it's in this format: <baseURL>/setpassword/<accountID>/<validateCode>.
7. Populate the password fields and complete the form. You should get logged in.

Confirm already validated logins can continue to newdot after using a new validate link

1. Ask for a reset password link on the sign-in page for an already validated account, click the link in your email
2. Confirm you can set a new password and continue into newdot

QA Steps

1. Enter email into NewDot sign in screen
2. Select "forgot"
3. Select the link in email
4. Enter new password
5. Continue you can move forward

And regressions on staging:

1. With a fresh email (with no account) in a controlled domain (expensifail should work fine), try to create a new account in newdot.
2. You should get a magic link in your email. Make sure it points to newdot and not oldDot (this is a different bug currently being fixed in another PR). The format should be new.expensify.com/setpassword//. If it isn't, just change it to that format.
3. Populate the password fields and submit the form.
4. You should get logged in.

Tested On

• Web
• Mobile Web
• Desktop
• iOS
• Android

Screenshots

Web

Mobile Web

Desktop

iOS

Android

[marcaaron]

LGTM and tests well for all cases:

1. New user sign up + set password
2. Resend validate code for unvalidated user
3. Reset password for validated user

[Jag96]

Adding CP staging label to fix the deploy blocker

[github-actions]

⚠️ ⚠️ Heads up! This pull request has the CP Staging label. ⚠️ ⚠️
Merging it will cause it to be immediately deployed to staging, even if the open StagingDeployCash deploy checklist is locked.

[OSBotify]

🚀 Cherry-picked to staging by @Jag96 in version: 1.1.0-2 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅

@Expensify/applauseleads please QA this PR and check it off on the deploy checklist if it passes.

[isagoico]

While retesting this on iOS and Android. I'm unable to proceed after setting up the new passwords. I'm getting the same message in Android and in iOS there no message at all (Getting the videos)

In Web it was a pass 🎉

[isagoico]

Ok so just as I was recording the issue I was unable to reproduce anymore 🤯 Checking with the team if this is a pass or not just to double check

[Jag96]

I just tested and confirmed it worked w/ my expensifail account. Note that if you click the same link a 2nd time the error message won't show up, this is the same behavior that existed before the issue and will be updated in #5406.

[isagoico]

Yeah I just tested again and it was a pass too. Checking this off the list 🎉

[OSBotify]

🚀 Deployed to production by @Jag96 in version: 1.1.0-2 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅

[OSBotify]

🚀 Deployed to staging by @Jag96 in version: 1.1.0-3 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅

[kevinksullivan]

@Jag96 both @MitchExpensify and I were running into issues here.

1. Sign up via staging.NewDot
2. Click magic link in email
3. Get brought to https://new.expensify.com/setpassword/
4. Save password
5. Loading spinner, cannot login

1. Enter existing email in staging ([email protected])
2. Choose forgot password
3. Click magic link
4. Enter new password
5. Loading spinner, cannot login

This should be working correctly since the changes are on prod, right?

[MitchExpensify]

Same for [email protected] just now

[kevinksullivan]

I also had no issues validating or resetting password on OldDot, so this seems directly tied to this PR. Let us know if we're missing something or if we can provide any other info here.

[MonilBhavsar]

Looking into it

[MonilBhavsar]

Can see 404 on prod and stag, it's treating validateCode as new resource. But I'm able to reset the password. Tested on staging, prod and dev. Diving into it.

GET https://new.expensify.com/setpassword/10022784/CLCICXGKJ 404

[kevinksullivan]

Ok so here is what we've found. There are two issues, each reproducible on staging:

ISSUE 1 - the password is getting set in the backend but users don't get signed into their account as expected.

Reproduction steps:

1. Sign up with new account on staging
2. Go to email and click validation link
3. Enter new password and click "Set password", get stuck on infinite loading screen
4. Password is actually set on backend, but page doesn't react and seems to error out
5. Exit, return to staging.new.expensify.com , and successfully login with user name and password entered in (3)

ISSUE 2 - when hitting the loading screen, users can click "Set Password" repeatedly, which triggers OldDot validation links

1. Sign up with new account on staging
2. Go to email and click validation link
3. Enter new password and click "Set password", get stuck on infinite loading screen
4. Refresh the screen, you see the password field and click "Set password"
5. The button still doesn't work and triggers more magic links, which direct to OldDot.

[OSBotify]

🚀 Deployed to production by @Jag96 in version: 1.1.1-8 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅