[HOLD for payment 2023-10-23] [HOLD for payment 2023-10-23] [HOLD for payment 2023-10-20] [HOLD for payment 2023-10-20] [$500] Security - 2FA Security codes copied as white text and appear as a white text on notepad/email/docs with white background

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. Open Expensify App and navigate to Settings -> Security -> Two Factor Authentication
2. Security Codes appears to be copied
3. Click "Copy" button
4. Open Google docs OR email OR Notepad
5. Paste copied codes
6. Codes pasted with white text color

Expected Result:

Codes should paste as black text color because most of the editors have white background.

Actual Result:

Codes appear as white text color

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.73.0
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

2fa_white_text_color.mov

Recording.4731.mp4

Expensify/Expensify Issue URL:
Issue reported by: @ufumerfarooq
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1695373596523109

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0121601c821eb709ec
• Upwork Job ID: 1706310213513129984
• Last Price Increase: 2023-10-02

[melvin-bot]

Triggered auto assignment to @michaelhaxhiu (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0121601c821eb709ec

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to @CortneyOfstad (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @robertKozik (External)

[bojangabric]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Two-factor authentication recovery codes are showing up as white when copied. They should be black because usually other editors have white background.

What is the root cause of that problem?

Two-factor authentication recovery codes are displayed in white color, when copying them through setString from react-native-web, it keeps the same color.

What changes do you think we should make in order to solve the problem?

I propose to add node.style.color = 'black'; to function setString in package react-native-web.

File: react-native-web/packages/react-native-web/src/exports/Clipboard/index.js

What alternative solutions did you explore? (Optional)

I explored also swapping the setString with setHTML. This also works, but we would to need refactor setHtml a bit, so it doesn't look weird when calling it. Without refactoring it would look like this Clipboard.setHtml(account.twoFactorAuthSecretKey, account.twoFactorAuthSecretKey).

Another thing I explored was to copy strings without any formatting, need to look more into this.

[ZhenjaHorbach]

Proposal

Please re-state the problem that we are trying to solve in this issue

After copying secret words They save styles

What is the root cause of that problem?

Clipboard.setString save styles after coping

What changes do you think we should make in order to solve the problem?

In browsers we have method navigator.clipboard.writeText;

Which we can use instead Clipboard.setString

App/src/libs/Clipboard/index.js

Line 110 in 38030f8

Clipboard.setString(text);

What alternative solutions did you explore? (Optional)

NA

[b4s36t4]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Security - 2FA Security codes copied as white text and appear as a white text on notepad/email/docs with white background

What is the root cause of that problem?

We use setString to set the contents to clipboard, but the main issue relies on the Clipboard that got exported by react-native web which does create a new empty node and add a styling to it and running copy.

basically because of Clipboard coming from react-native-web is creating HTML even for small string which wrong and not good way to copy the content.

https://github.com/necolas/react-native-web/blob/master/packages/react-native-web/src/exports/Clipboard/index.js

We have navigator.clipboard api in modern browser which we can use.

What changes do you think we should make in order to solve the problem?

1. We should raise an upstream bug and resolve it there.

2. Update the clipboard file's code to use navigator.clipboard with checking the availability of backward compatibility

3. Upgrade @react-native-community/clipboard package which now has support for web as well.

package got renamed to @react-native-clipboard/clipboard

https://github.com/react-native-clipboard/clipboard/blob/master/src/Clipboard.web.ts which supports backward comparability for browsers as well.

I do recommend third option which is reliable and perfect fix.

What alternative solutions did you explore? (Optional)

NA

[CortneyOfstad]

@michaelhaxhiu there is a known issue with duplicate assignments taking place via the external label for BZ — so removing my assignment 👍

[melvin-bot]

⚠️ Invalid email. Please make sure to create an Expensify account with this email first here.

[ufumerfarooq]

Contributor details
Your Expensify account email: [email protected]
Upwork Profile Link: https://www.upwork.com/freelancers/~01f33604ffac4199da

[melvin-bot]

⚠️ Missing/invalid email or upwork profile link. Please make sure you add both your Expensify email and Upwork profile link in the format specified.

[ufumerfarooq]

Contributor details
Your Expensify account email: [email protected]
Upwork Profile Link: https://www.upwork.com/freelancers/~01f33604ffac4199da

[melvin-bot]

⚠️ Missing/invalid email or upwork profile link. Please make sure you add both your Expensify email and Upwork profile link in the format specified.

[ufumerfarooq]

Contributor details
Your Expensify account email: [email protected]
Upwork Profile Link: https://www.upwork.com/freelancers/~01f33604ffac4199da

[melvin-bot]

✅ Contributor details stored successfully. Thank you for contributing to Expensify!

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.83-11 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: native clipboard version bump #29119

If no regressions arise, payment will be issued on 2023-10-20. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @b4s36t4 requires payment
• @robertKozik does not require payment (Contractor)
• @ufumerfarooq requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@robertKozik] The PR that introduced the bug has been identified. Link to the PR:
• [@robertKozik] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@robertKozik] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@robertKozik] Determine if we should create a regression test for this bug.
• [@robertKozik] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@NicMendonca] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.83-11 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: native clipboard version bump #29119

If no regressions arise, payment will be issued on 2023-10-20. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @b4s36t4 requires payment
• @robertKozik does not require payment (Contractor)
• @ufumerfarooq requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@robertKozik] The PR that introduced the bug has been identified. Link to the PR:
• [@robertKozik] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@robertKozik] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@robertKozik] Determine if we should create a regression test for this bug.
• [@robertKozik] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@NicMendonca] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.84-10 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: native clipboard version bump #29119

If no regressions arise, payment will be issued on 2023-10-23. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @b4s36t4 requires payment
• @robertKozik does not require payment (Contractor)
• @ufumerfarooq requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@robertKozik] The PR that introduced the bug has been identified. Link to the PR:
• [@robertKozik] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@robertKozik] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@robertKozik] Determine if we should create a regression test for this bug.
• [@robertKozik] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@NicMendonca] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.84-10 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: native clipboard version bump #29119

If no regressions arise, payment will be issued on 2023-10-23. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @b4s36t4 requires payment
• @robertKozik does not require payment (Contractor)
• @ufumerfarooq requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@robertKozik] The PR that introduced the bug has been identified. Link to the PR:
• [@robertKozik] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@robertKozik] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@robertKozik] Determine if we should create a regression test for this bug.
• [@robertKozik] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@NicMendonca] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[NicMendonca]

@ufumerfarooq sent you offer!

@b4s36t4 can you please apply to the job: https://www.upwork.com/jobs/~0121601c821eb709ec

[ufumerfarooq]

Offer accepted

[b4s36t4]

@NicMendonca Accepted. Thanks :)

[melvin-bot]

@tgolen, @NicMendonca, @b4s36t4, @robertKozik Whoops! This issue is 2 days overdue. Let's get this updated quick!

[NicMendonca]

sorry for the delay! everyone has now been paid. Thanks!!

[NicMendonca]

@b4s36t4 you got it!