[$500] [Awaiting Payment]2FA login - Error message shows incorrect 2FA code when incorrect recovery code is used

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Issue found when executing PR #23390

Action Performed:

Precondition:

• User has set up 2FA and saved the recovery codes.
• User has previously used one of the recovery codes.

1. Go to login page.
2. Enter email and magic code.
3. Click Use recovery code.
4. Use the recovery code that has already been used before.
   5.Click Sign in.

Expected Result:

The error message mentions incorrect recovery code.

Actual Result:

The error message mentions two-factor authentication code instead of recovery code.

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.73.0
Reproducible in staging?: y
Reproducible in production?: new feature
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

Bug6210906_20230922_222809.mp4

Expensify/Expensify Issue URL:
Issue reported by: @ayazhussain79
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1695308760173509

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~011dfd59ea4353f356
• Upwork Job ID: 1711516319487270912
• Last Price Increase: 2023-10-09

[OSBotify]

👋 Friendly reminder that deploy blockers are time-sensitive ⏱ issues! Check out the open StagingDeployCash deploy checklist to see the list of PRs included in this release, then work quickly to do one of the following:

1. Identify the pull request that introduced this issue and revert it.
2. Find someone who can quickly fix the issue.
3. Fix the issue yourself.

[melvin-bot]

Triggered auto assignment to @chiragsalian (Engineering), see https://stackoverflow.com/c/expensify/questions/4319 for more details.

[mountiny]

@alitoshmatov @abdulrahuman5196 @MonilBhavsar Seems like a regression from your PR?

I dont think this is that important though to be a blocker, its not blocking user from logging in and also its rare to use recovery code and the one you have already used. Demoting to a bug and we should fix this probably as a regression from the PR

[melvin-bot]

Triggered auto assignment to @puneetlath (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[alitoshmatov]

@mountiny This error message is sent from the backend for used recovery code, also the same api is used to verify 2fa code and recovery code. Noticed it in original PR but forgot to mention it.

[mountiny]

Thats ok, we can make this internal if we can debug this, but this probably should have been raised during the PR review

[melvin-bot]

Triggered auto assignment to @joaniew (Waiting for copy), see https://stackoverflow.com/c/expensify/questions/7025/ for more details.

[MonilBhavsar]

@joaniew

In olddot, error message looks like

And in newDot, I propose to use the following -

Could you please confirm. Thank you! cc @srikarparsi

[ghost]

@MonilBhavsar I'm a bit confused what you're proposing.. just want to double check - you're showing a version with the authenticator and one version with the recovery code?

Where it says Please enter a valid two-factor authentication or recovery code - do we want to specify so that when it's the authenticator, you only see the authenticator copy? eg. it says Please enter a valid two-factor authentication code

For recovery code: Please enter a valid recovery code

I think that specification is nicer

[MonilBhavsar]

PR is deployed to prod. @puneetlath assigning you the issue as you were assigned as a part of Bugzero team.
We need to pay bug reporter @ayazhussain79
Everything else was internal

[ayazhussain79]

@MonilBhavsar commented for reporting bonus

[melvin-bot]

Unable to auto-create job on Upwork. The BZ team member should create it manually for this issue. cc @thienlnam

[melvin-bot]

Current assignee @abdulrahuman5196 is eligible for the External assigner, not assigning anyone new.

[puneetlath]

Upwork seems to be having issues. Will try again later.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~011dfd59ea4353f356

[melvin-bot]

Current assignee @abdulrahuman5196 is eligible for the External assigner, not assigning anyone new.

[puneetlath]

@ayazhussain79 sent you an offer.

[ayazhussain79]

@puneetlath offer accepted, Thank you

[puneetlath]

All paid!