[HOLD for C+ newdot payment] [$500] Web - App crashes when currency in url is changed to invalid currency code

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

Action Performed:

1. Go to any chat
2. Open request money
3. Change currency in currency list
4. Notice there is a currency code in url indicating selected currency
5. (a). Now change that currency code in url to invalid currency code for example ABCD
   Another case:
6. (b). Change currency code in url to not invalid currency code but keep it 3 letters like ABC

Expected Result:

In both cases invalid currency should be ignored and default currency should be selected

Actual Result:

a) App crashes.
b) You can request money with invalid currency code

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.62.0
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

Case A

Screen.Recording.2023-08-30.at.14.12.14.mov

Recording.4221.mp4

Case B

Screen.Recording.2023-08-30.at.14.13.11.mov

Recording.4223.mp4

Expensify/Expensify Issue URL:
Issue reported by: @alitoshmatov
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1693385994296529

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0140a8a0afc8dbbe3d
• Upwork Job ID: 1698528155580948480
• Last Price Increase: 2023-09-04

[melvin-bot]

Triggered auto assignment to @kadiealexander (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[kbecciv]

Proposal by: @alitoshmatov
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1693385994296529

Proposal

Please re-state the problem that we are trying to solve in this issue.

App crashes when currency in url is changed to invalid currency code

What is the root cause of that problem?

The issue is happening because we are not checking if currency from route params is valid or not.

App/src/pages/iou/steps/NewRequestAmountPage.js

Line 85 in 28065b4

const currency = currentCurrency || iou.currency;

What changes do you think we should make in order to solve the problem?

We should introduce a process to check if currency from route param is valid or not, then accept it only if it is a valid currency if not we should fallback to default currency.
We can achieve it by introducing a new function to validate currency code when we get it from route, something like this:

function validateCurrency(route) {
  const currencyCode = lodashGet(route, 'params.currency', '');
  const currency = lodashGet(currencyList, currencyCode);
  return currency ? currencyCode : '';
}

By returning empty string, we let it fallback to default currency which

App/src/pages/iou/steps/NewRequestAmountPage.js

Line 85 in 28065b4

const currency = currentCurrency || iou.currency;

What alternative solutions did you explore? (Optional)

[kadiealexander]

Reproduced:

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0140a8a0afc8dbbe3d

[melvin-bot]

Current assignee @kadiealexander is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @sobitneupane (External)

[napster125]

Proposal

Please re-state the problem that we are trying to solve in this issue.

The app crashes when the currency in the URL is changed to an invalid currency code.

What is the root cause of that problem?

We currently don't perform a check to verify whether the currency from the route parameters is valid or not.
This issue is not limited to the new money request page; it also affects the edit and confirmation money request pages.

Additionally, when the currency code length exceeds 3 characters, the app crashes due to the NumberFormatUtils.formatToParts function used in getLocalizedCurrencySymbol and isCurrencySymbolLTR functions within the CurrencyUtils.js file. The issue arises because we are not handling errors in these functions.

Here are the relevant code sections:

App/src/libs/CurrencyUtils.js

Lines 51 to 57 in ebcc8d0

	function getLocalizedCurrencySymbol(currencyCode) {
	const parts = NumberFormatUtils.formatToParts(BaseLocaleListener.getPreferredLocale(), 0, {
	style: 'currency',
	currency: currencyCode,
	});
	return _.find(parts, (part) => part.type === 'currency').value;
	}

App/src/libs/CurrencyUtils.js

Lines 75 to 83 in ebcc8d0

	function isCurrencySymbolLTR(currencyCode) {
	const parts = NumberFormatUtils.formatToParts(BaseLocaleListener.getPreferredLocale(), 0, {
	style: 'currency',
	currency: currencyCode,
	});
	// Currency is LTR when the first part is of currency type.
	return parts[0].type === 'currency';
	}

What changes do you think we should make in order to solve the problem?

We can find the relevant code here:

App/src/pages/iou/steps/MoneyRequestAmountForm.js

Line 252 in 4676492

isDisabled={!currentAmount.length || parseFloat(currentAmount) < 0.01}

App/src/libs/CurrencyUtils.js

Lines 65 to 67 in 44721d2

	function getCurrencySymbol(currencyCode) {
	return lodashGet(currencyList, [currencyCode, 'symbol']);
	}

Fortunately, we already have a function for obtaining the currency symbol. If the currency symbol is undefined, it signifies that the currency is invalid. While we could create a custom validation function for currency, I believe it would be more consistent and simpler to add the validation logic for currency to the submit button in the MoneyRequestAmountForm.

isDisabled={!currentAmount.length || parseFloat(currentAmount) < 0.01 || !CurrencyUtils.getCurrencySymbol(currency)}

We can also use a default value when CurrencyUtils.getCurrencySymbol(currency) returns undefined.

App/src/pages/iou/steps/MoneyRequestAmountForm.js

Line 223 in ebcc8d0

selectedCurrencyCode={currency}

selectedCurrencyCode={CurrencyUtils.getCurrencySymbol(currency) ? 'USD' : currency}

Considering the second issue, we have two options for addressing it within the functions in the CurrencyUtils.js file:

First, we can employ the try/catch syntax.
Second, we can utilize a default currency code such as USD.

For example:

currency: !getCurrencySymbol(currencyCode) ? 'USD' : currencyCode,

I would prefer the second option because it's simpler and more straightforward.

What alternative solutions did you explore? (Optional)

Alternatively, we can include form helper text in our money request form to display the error using the proposed validation logic.

Result:

[melvin-bot]

@sobitneupane, @kadiealexander Still overdue 6 days?! Let's take care of this!

[melvin-bot]

@sobitneupane, @kadiealexander 6 days overdue. This is scarier than being forced to listen to Vogon poetry!

[sobitneupane]

Thanks for the proposal @alitoshmatov and @napster125 .

I believe it's better idea to show default currency instead of disabling the button.

So, proposal from @alitoshmatov looks good to me. @alitoshmatov Let's make sure to handle the case in edit and confirmation money request page as well if it exists.

🎀 👀 🎀 C+ reviewed

[MonilBhavsar]

I believe it's better idea to show default currency instead of disabling the button.

👍

Proposal looks good, though I think validateCurrency should only return boolean if currency is valid. We can address that in a PR.

[MonilBhavsar]

@alitoshmatov needs to comment on this issue, so I can assign them.

[alitoshmatov]

@MonilBhavsar 👋

[melvin-bot]

📣 @sobitneupane Please request via NewDot manual requests for the Reviewer role ($500)

[melvin-bot]

❌ There was an error making the offer to @alitoshmatov for the Contributor role. The BZ member will need to manually hire the contributor. cc @thienlnam

[melvin-bot]

❌ There was an error making the offer to @alitoshmatov for the Reporter role. The BZ member will need to manually hire the contributor. cc @thienlnam

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.73-1 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Added a function to validate currency code from route #27550

If no regressions arise, payment will be issued on 2023-10-02. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @sobitneupane does not require payment (Eligible for Manual Requests)
• @alitoshmatov requires payment
• @alitoshmatov requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@sobitneupane] The PR that introduced the bug has been identified. Link to the PR:
• [@sobitneupane] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@sobitneupane] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@sobitneupane] Determine if we should create a regression test for this bug.
• [@sobitneupane] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@kadiealexander] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[MonilBhavsar]

Awaiting payment and need to complete checklist here

[alitoshmatov]

Applied to the upwork job since automation didn't work

[kadiealexander]

Payouts due:

• Issue Reporter: $50 @alitoshmatov
• Contributor: $500 @alitoshmatov
• Contributor+: $500 @sobitneupane

Eligible for 50% #urgency bonus? No

Upwork job is here.

[kadiealexander]

@alitoshmatov could you please apply here? https://www.upwork.com/jobs/~0196e99f5c78661337

[alitoshmatov]

@kadiealexander Applied

[kadiealexander]

@alitoshmatov sent you a contract!

[alitoshmatov]

@kadiealexander Accepted contract

[sobitneupane]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@sobitneupane] The PR that introduced the bug has been identified. Link to the PR:

#23979

• [@sobitneupane] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:

#23979 (comment)

• [@sobitneupane] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:

This is an edge case and could have easily missed in PR review.

• [@sobitneupane] Determine if we should create a regression test for this bug.

Yes.

• [@sobitneupane] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.

#26619 (comment)

[sobitneupane]

Regression Test Proposal

1. Go to any chat
2. Open request money
3. Change currency code
4. Notice there is a currency code in url indicating selected currency
5. Now change that currency code in url to invalid currency code (for example: ABCD and ABC)
6. Make sure this invalid currency code is not applied and default currency code is selected

Do we agree 👍 or 👎

[MonilBhavsar]

Looks good 👍
Thank you!

[sobitneupane]

#26619 (comment)

Requested payment on newDot

[JmillsExpensify]

$500 payment approved for @sobitneupane based on BZ summary.