Fix the iou request for "unknown" users

[ShogunFire]

Details

Due to the privacy changes, the login is null for users that haven't sent message to us so when we made an iou request the payerEmail sent to the api was null which was creating an error. Since we are actively creating a request or creating a chat with this user using his email/phone, we can use that as the payerEmail when there is no login

Fixed Issues

$ #22884
PROPOSAL: #22884 (comment)

Tests

1. Create a chat with a user that you have never sent a message to
2. In this chat, click on + and make an iou request
3. Send some message.
4. Request money again.
5. Verify that there is only one IOU Preview and that it is the last message, also verify that there are two replies below this preview

• Verify that no errors appear in the JS console

Offline tests

1. While offline create a chat with a user that you have never sent a message to
2. In this chat, click on + and make an iou request
3. Send some message.
4. Request money again.
5. Verify that there is only one IOU Preview and that it is the last message
6. Come back online and verify that the iou preview now has 2 replies

QA Steps

1. Create a chat with a user that you have never sent a message to
2. In this chat, click on + and make an iou request
3. Send some message.
4. Request money again.
5. Verify that there is only one IOU Preview and that it is the last message, also verify that there are two replies below this preview

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android / native
  • Android / Chrome
  • iOS / native
  • iOS / Safari
  • MacOS / Chrome / Safari
  • MacOS / Desktop
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that the left part of a conditional rendering a React component is a boolean and NOT a string, e.g. myBool && <MyComponent />.
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I verified the translation was requested/reviewed in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is approved by marketing by adding the Waiting for Copy label for a copy review on the original GH to get the correct copy.
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.js or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If a new component is created I verified that:
  • A similar component doesn't exist in the codebase
  • All props are defined accurately and each prop has a /** comment above it */
  • The file is named correctly
  • The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
  • The only data being stored in the state is data necessary for rendering and nothing else
  • If we are not using the full Onyx data that we loaded, I've added the proper selector in order to ensure the component only re-renders when the data it is using changes
  • For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
  • Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
  • All JSX used for rendering exists in the render method
  • The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(themeColors.componentBG))
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
• I have checked off every checkbox in the PR author checklist, including those that don't apply to this PR.

Screenshots/Videos

Web

2023-08-09.19-14-26.mp4

Mobile Web - Chrome

2023-08-09.19-23-44.mp4

Mobile Web - Safari

2023-08-09.21-07-38.mp4

Desktop

2023-08-09.21-02-32.mp4

iOS

2023-08-09.20-57-26.mp4

Android

2023-08-10.11-05-47.mp4

[melvin-bot]

@thesahindia Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[ShogunFire]

I think it's already working for split which for some reasons still has the email in the logins, buildOptimisticIOUReport is also used for sendMoney but if I am not mistaken this functionality is disabled.

[ShogunFire]

PR ready for review

[melvin-bot]

@parasharrajat Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[parasharrajat]

Reviewed the issue. Reviewing PR now.

[parasharrajat]

I am not 100% into this solution. Although it solves this issue it does not solve the root cause. There will be more cases where the same root cause can become another issue.

IMO, we should set the login to the default email for optimistic accounts.

[ShogunFire]

I agree with you, I had sent this on slack for another issue: https://expensify.slack.com/archives/C01GTK53T8Q/p1690214768266839

I was saying if we create the chat with another user, we know his login already so there is no point in hiding it. It looks like this weird behaviour was intended so I don't know...

[jasperhuangg]

What is the default email that you are referring to?

[parasharrajat]

The one that we invited.

[ShogunFire]

So what do we decide ? Or who could help deciding ?

[parasharrajat]

I would love to see an analysis of alternatives if any. I will give it a thought over weekend and then share update on Monday.

[ShogunFire]

Honestly I don't see any alternative if we keep the privacy change as it is

[parasharrajat]

Again, the concept of unknownPayerEmail does not make sense. You are building an iou and the payer is unknown....

[mountiny]

Yeah I can see why this does not look ideal, I think we however need to make a change like this right now and document it better to make it clear why we are doing this. It might be temporary but worth it.

[mountiny]

@ShogunFire @parasharrajat we also need the same fix for Split bill right?

[mountiny]

Lets just call it payerEmail, but in the docs explain the situation

Suggested change

	function buildOptimisticIOUReport(payeeAccountID, payerAccountID, total, chatReportID, currency, isSendingMoney = false, unknownPayerEmail = '') {
	function buildOptimisticIOUReport(payeeAccountID, payerAccountID, total, chatReportID, currency, isSendingMoney = false, payerEmail = '') {

[ShogunFire]

There is already a payerEmail variable in the function, checking if we need it now

[ShogunFire]

@ShogunFire @parasharrajat we also need the same fix for Split bill right?

̶I̶ ̶t̶h̶i̶n̶k̶ ̶y̶e̶s̶.̶ ̶A̶c̶t̶u̶a̶l̶l̶y̶ ̶I̶ ̶w̶a̶n̶t̶e̶d̶ ̶t̶o̶ ̶r̶e̶v̶e̶r̶i̶f̶y̶ ̶t̶h̶i̶s̶ ̶b̶u̶t̶ ̶t̶h̶e̶r̶e̶ ̶s̶e̶e̶m̶s̶ ̶t̶o̶ ̶b̶e̶ ̶a̶n̶o̶t̶h̶e̶r̶ ̶e̶r̶r̶o̶r̶ ̶r̶i̶g̶h̶t̶ ̶n̶o̶w̶ ̶w̶h̶e̶n̶ ̶w̶e̶ ̶s̶p̶l̶i̶t̶ ̶b̶i̶l̶l̶ ̶w̶i̶t̶h̶ ̶u̶n̶k̶n̶o̶w̶n̶ ̶u̶s̶e̶r̶s̶ ̶d̶u̶e̶ ̶t̶o̶ ̶f̶o̶r̶m̶a̶t̶i̶n̶g̶ ̶"̶u̶s̶e̶r̶1̶ ̶a̶n̶d̶ ̶u̶s̶e̶r̶ ̶2̶"̶ ̶w̶h̶e̶n̶ ̶t̶h̶e̶y̶ ̶d̶o̶n̶'̶t̶ ̶h̶a̶v̶e̶ ̶l̶o̶g̶i̶n̶ ̶h̶e̶r̶e̶:̶ ̶h̶t̶t̶p̶s̶:̶/̶/̶g̶i̶t̶h̶u̶b̶.̶c̶o̶m̶/̶E̶x̶p̶e̶n̶s̶i̶f̶y̶/̶A̶p̶p̶/̶b̶l̶o̶b̶/̶e̶3̶0̶7̶4̶c̶4̶9̶a̶7̶9̶3̶8̶b̶9̶d̶9̶7̶8̶b̶4̶8̶7̶2̶1̶f̶d̶b̶a̶d̶d̶8̶9̶8̶0̶b̶f̶6̶4̶4̶/̶s̶r̶c̶/̶l̶i̶b̶s̶/̶a̶c̶t̶i̶o̶n̶s̶/̶I̶O̶U̶.̶j̶s̶#̶L̶6̶1̶5̶-̶L̶6̶1̶7̶ ̶

EDIT: I was looking at prod but this has already been fixed in main

Anyways I will Make the change because yes I think it's necessary

[mountiny]

Yep I think thats highly possible and we should try to make it safely accessed so it looks fine at the same time

[ShogunFire]

Ok I made some changes, I made payerEmail required parameter and removed the one that was in the function, tell me what you think.

Also I am not sure why this PR still thinks there is conflict, I think I resolved them already

[ShogunFire]

@dukenv0307 has a good point here: #23038 (comment) That method doesn't work if the user changed his display name.

I have another sketchy method that seem to work for all users,
When the user change his display name the only place where we can find his email seem to be in report.participants, unfortunely this is just a list of all emails of the report without any way to search a specific user, but the order of report.participants seem to be the same than the order of report.participantAccountIDs. So in navigateToNextPage here

App/src/libs/actions/IOU.js

Lines 1789 to 1794 in 5a373bf

	const participants = ReportUtils.isPolicyExpenseChat(report)
	? [{reportID: report.reportID, isPolicyExpenseChat: true, selected: true}]
	: _.chain(report.participantAccountIDs)
	.filter((accountID) => currentUserAccountID !== accountID)
	.map((accountID) => ({accountID, selected: true}))
	.value();

, we can set the login of the participants like this:

var participants = [];

           
for (let i = 0; i < report.participantAccountIDs.length; i++) {
  const accountID = report.participantAccountIDs[i];
  if (currentUserAccountID !== accountID){
      participants.push({accountID, selected: true, login: report.participants[i]})
  }
}

If we don't want to put it in the login field (to not have to display it) we will have to create another field
If we go with that method, the other changes are unnecessary

[ShogunFire]

Otherwise I recommend this but it would take way more effort and time:

"I have a proposition about the privacy change that is causing so many issues. Why don't we create another field email or privateLogin that we will never display and if needed we can even encrypted it so that it doesn't appear in the network. And use that field to do all the things that we are currently doing with the login field"

[mountiny]

Argh I hate this thing, I think we discussed this couple of times but it was deprioritized.

could we maybe just Blcok requesting money from chat with user where we dont have email, ie you can request from Global create from anyone but you cannot keep requesting until that perosn responds to you within the chat

[ShogunFire]

I made the change

[ShogunFire]

There seems to have an issue, when we create a chat with a unknown user the money request option is showing for a few seconds (probably until the server response) I will try to fix that

[ShogunFire]

:( so in getOptions we add the login to the userToInviteOption, I don't think it is safe to remove that

App/src/libs/OptionsListUtils.js

Line 833 in 9a0dd42

userToInvite.login = searchValue;

So maybe we can also prevent money request if the report is optimistic, is there a reason we don't add isOptimisticReport: true in this method:

App/src/libs/ReportUtils.js

Line 2199 in 9a0dd42

function buildOptimisticChatReport(

[mountiny]

@ShogunFire thanks for trying

I think we can hold on this one until we have a clearer plan as it does not seem as ultimately the best direction to head into.

[ShogunFire]

Can I try one last thing ? I can start implementing this

Why don't we create another field email or privateLogin that we will never display and if needed we can even encrypted it so that it doesn't appear in the network. And use that field to do all the things that we are currently doing with the login field

I don't think I need back end changes, I can just fill the new field optimistically with the login here:

App/src/libs/actions/Report.js

Lines 496 to 502 in 867d61e

	optimisticPersonalDetails[accountID] = allPersonalDetails[accountID] || {
	login,
	accountID,
	avatar: UserUtils.getDefaultAvatarURL(accountID),
	displayName: login,
	isOptimisticPersonalDetail: true,
	};

Then for the payerEmail I can use that field instead of login or text here:

App/src/libs/actions/IOU.js

Line 308 in 40f354b

const payerEmail = OptionsListUtils.addSMSDomainIfPhoneNumber(participant.login);

[ShogunFire]

That would not work if you change platforms though but I think that's a good beginning

[mountiny]

the best solution so far is to update those flows to work with accountIDs as we have those, I think any other proposed solution so far is quite "dirty"

[ShogunFire]

The accountIDs created optimistically and returned by the backend can be different right ? Then I don't know how making iou request offline based on something that can change would work. Anyways, seems like there is not much I can do right now if we go with that option

[mountiny]

@ShogunFire you are right, that is one of the challenges there

[mountiny]

This is the issue #22480

[mountiny]

The accountIDs created optimistically and returned by the backend can be different right ? Then I don't know how making iou request offline based on something that can change would work. Anyways, seems like there is not much I can do right now if we go with that option

I think we would have to use both email and accountID. AccountID would be a fallback, when you are creating this offline you know the email so you can use that, then once you sign out and sign back in you had to be online and you had to get the correct accountID

[ShogunFire]

Honestly it doesn't seem like a pretty solution. I feel like the privacy change should have just been a display issue. Not displaying the login, but still using it.

I would personally prefer to have an email field that we would never display or a boolean shouldDisplayLogin field. It would require way less changes and seems like an easier solution.

[mountiny]

Not displaying the login, but still using it.

this would not prevent people from just scraping the contact details from the public chat rooms, we cannot return this data from BE

[ShogunFire]

Even if we encrypt it ?

[mountiny]

I think that was one of the options when the project was planned but it was not chosen for reasons I am not familiar with

[mountiny]

Lets close this PR for now @ShogunFire thanks for your work, we can discuss a partial reward in the issue