Add iOS and Android view for SAML Login

[NikkiWines]

Details

Adds SAML sign in flow for iOS and Android platforms. Tied to backend changes from here

Fixed Issues

$ #28217
PROPOSAL: N/A

Tests

(Internal - ios and android native app only)

1. Follow steps in https://github.com/Expensify/Web-Expensify/pull/38972 to get set up with SAML locally
2. Configure your account to have SAML enabled but not required in oldDot
3. Enter the email for your account in newDot
4. Confirm you see the option to choose to sign in with SAML or with a magic code
5. Choose the Go Back option and confirm you're dropped back on the sign-in page with your email pre-filled
6. Press Continue
7. Choose the Use Magic Code option and confirm you get a magic code sent to your email
8. Press Go Back and confirm you're back on the sign-in page with your email pre-filled
9. Press Continue
10. Choose Use Single Sign On option
11. Confirm you briefly see an interstitial page about launching your SSO provider's login portal
12. Click the < in the top left
13. Confirm you're taken back to sign in page with your login pre-filled
14. Press Continue
15. Choose Use Single Sign On again
16. Enter your SSO credentials
17. Confirm you're redirected back (with a brief view notifying you that you're being redirected) to New Expensify and are logged into your account
18. In oldDot, set SAML to required
19. In a new incognito window, open New Expensify and enter your email address
20. Confirm you're automatically redirected to your SSO providers login page (with the interstitial page being briefly shown)
21. Enter your credentials, and confirm you're redirected back (with a brief view notifying you that you're being redirected) to New Expensify and that you're successfully logged in.

(External - ios and android native app only)

1. Create an account with a validated domain on expensify.com
2. Configure your account to have SAML enabled but not required
3. Enter the email for your account in New Expensify
4. Confirm you see the option to choose to sign in with SAML or with a magic code
5. Choose the Go Back option and confirm you're dropped back on the sign-in page with your email pre-filled
6. Press Continue
7. Choose the Use Magic Code option and confirm you get a magic code sent to your email
8. Press Go Back and confirm you're back on the sign-in page with your email pre-filled
9. Press Continue
10. Choose Use Single Sign On option
11. Confirm you briefly see an interstitial page about launching your SSO provider's login portal
12. Click the < in the top left
13. Confirm you're taken back to sign in page with your login pre-filled
14. Press Continue
15. Choose Use Single Sign On again
16. In expensify.com, set SAML to required
17. Confirm you briefly see an interstitial page about launching your SSO provider's login portal
18. In a new incognito window, open New Expensify and enter your email address
19. Confirm you're automatically redirected to your SSO providers login page (with the interstitial page being briefly shown)

• Verify that no errors appear in the JS console

Offline tests

1. Navigate to the login page for New Expensify and enter your email for a SAML enabled account
2. Confirm you see the option to select a magic code or log in via SSO
3. Disable your wifi or disable your network connections
4. Confirm you see the offline indicator

QA Steps

Same as test steps

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
  • MacOS: Desktop
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that the left part of a conditional rendering a React component is a boolean and NOT a string, e.g. myBool && <MyComponent />.
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I verified the translation was requested/reviewed in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is approved by marketing by adding the Waiting for Copy label for a copy review on the original GH to get the correct copy.
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.js or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(themeColors.componentBG))
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native

SAML Enabled

SAML Required

Android: mWeb Chrome

N/A

iOS: Native

SAML Enabled

Simulator.Screen.Recording.-.iPhone.14.-.2023-10-30.at.16.25.29.mp4

SAML Required

Simulator.Screen.Recording.-.iPhone.14.-.2023-10-30.at.17.01.10.mp4

iOS: mWeb Safari

N/A

MacOS: Chrome / Safari

N/A

MacOS: Desktop

N/A

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Pages

Latest commit:	8991e7e
Status:	✅  Deploy successful!
Preview URL:	https://61bf3dc3.helpdot.pages.dev
Branch Preview URL:	https://nikki-saml-newdot-ios.helpdot.pages.dev

View logs

[cdanwards]

@NikkiWines looking great! I was thinking about it, and I'm not sure that we need to navigate after authentication. The navigation stacks will be swapped out PublicScreens -> AuthScreens so this might not be needed? Our SAML setup is still not working correctly, would you mind testing? Also I saw that the error handling wasn't brought over, is that a TODO I could help with?

[NikkiWines]

I was thinking about it, and I'm not sure that we need to navigate after authentication. The navigation stacks will be swapped out PublicScreens -> AuthScreens so this might not be needed?

Oh yeah, good point - let's remove that option once they're authenticated. Though, I'd say that's more of a polish than a real blocker for this one

Also I saw that the error handling wasn't brought over, is that a TODO I could help with?

Oh oops! I definitely meant to include this in the logic I pulled from your PR. Let me add it now

[NikkiWines]

(oops)

[fedirjh]

@NikkiWines I think this is not required. With this code, on login failure, the App lands on an empty screen.

CleanShot.2023-11-17.at.23.11.13.mp4

---

I tried to fix it with this code. We need to verify whether the user has initiated the SAML login process and, if an error has occurred, display the login form to handle the error presentation.

diff --git a/src/pages/signin/SignInPage.js b/src/pages/signin/SignInPage.js
index ce70e548df..2b88e2d346 100644
--- a/src/pages/signin/SignInPage.js
+++ b/src/pages/signin/SignInPage.js
@@ -97,6 +97,7 @@ function getRenderOptions({hasLogin, hasValidateCode, account, isPrimaryLogin, i
     const isSAMLEnabled = Boolean(account.isSAMLEnabled);
     const isSAMLRequired = Boolean(account.isSAMLRequired);
     const hasEmailDeliveryFailure = Boolean(account.hasEmailDeliveryFailure);
+    const hasLoginError = !_.isEmpty(account.errors);
 
     // True if the user has SAML required and we haven't already initiated SAML for their account
     const shouldInitiateSAMLLogin = hasAccount && hasLogin && isSAMLRequired && !hasInitiatedSAMLLogin && account.isLoading;
@@ -109,7 +110,7 @@ function getRenderOptions({hasLogin, hasValidateCode, account, isPrimaryLogin, i
         Session.clearSignInData();
     }
 
-    const shouldShowLoginForm = isClientTheLeader && !hasLogin && !hasValidateCode;
+    const shouldShowLoginForm = isClientTheLeader && ((!hasLogin && !hasValidateCode) || hasInitiatedSAMLLogin && hasLoginError);
     const shouldShowEmailDeliveryFailurePage = hasLogin && hasEmailDeliveryFailure && !shouldShowChooseSSOOrMagicCode && !shouldInitiateSAMLLogin;
     const isUnvalidatedSecondaryLogin = hasLogin && !isPrimaryLogin && !account.validated && !hasEmailDeliveryFailure;
     const shouldShowValidateCodeForm =
@@ -192,9 +193,6 @@ function SignInPage({credentials, account, isInModal, activeClients, preferredLo
     if (shouldInitiateSAMLLogin) {
         setHasInitiatedSAMLLogin(true);
         Navigation.isNavigationReady().then(() => Navigation.navigate(ROUTES.SAML_SIGN_IN));
-    } else if (hasInitiatedSAMLLogin) {
-        // Return early because we're already navigating to a different page
-        return;
     }
 
     let welcomeHeader = '';

And this is the result :

CleanShot.2023-11-17.at.23.09.11.mp4

[NikkiWines]

Hmm, I'm not getting that blank page while testing @fedirjh - are you experiencing that only on mobile or also on web? Also if we remove the hasInitiatedSAMLLogin logic we'll get the [warn] SignInPage in unexpected state! - "" error when the user signs in using the SAML required flow.

What about something like:

-function getRenderOptions({hasLogin, hasValidateCode, account, isPrimaryLogin, isUsingMagicCode, hasInitiatedSAMLLogin, isClientTheLeader}) {
+function getRenderOptions({hasLogin, hasValidateCode, account, isPrimaryLogin, isUsingMagicCode, hasInitiatedSAMLLogin, isClientTheLeader, hasAccountError}) {
     const hasAccount = !_.isEmpty(account);
     const isSAMLEnabled = Boolean(account.isSAMLEnabled);
     const isSAMLRequired = Boolean(account.isSAMLRequired);
@@ -109,7 +109,7 @@ function getRenderOptions({hasLogin, hasValidateCode, account, isPrimaryLogin, i
         Session.clearSignInData();
     }
 
-    const shouldShowLoginForm = isClientTheLeader && !hasLogin && !hasValidateCode;
+    const shouldShowLoginForm = hasAccountError || isClientTheLeader && !hasLogin && !hasValidateCode;
     const shouldShowEmailDeliveryFailurePage = hasLogin && hasEmailDeliveryFailure && !shouldShowChooseSSOOrMagicCode && !shouldInitiateSAMLLogin;
     const isUnvalidatedSecondaryLogin = hasLogin && !isPrimaryLogin && !account.validated && !hasEmailDeliveryFailure;
     const shouldShowValidateCodeForm =
@@ -148,6 +148,7 @@ function SignInPage({credentials, account, isInModal, activeClients, preferredLo
     const [hasInitiatedSAMLLogin, setHasInitiatedSAMLLogin] = useState(false);
 
     const isClientTheLeader = activeClients && ActiveClientManager.isClientTheLeader();
+    const hasAccountError = !_.isEmpty(account.errors);
 
     useEffect(() => Performance.measureTTI(), []);
     useEffect(() => {
@@ -187,12 +188,13 @@ function SignInPage({credentials, account, isInModal, activeClients, preferredLo
         isUsingMagicCode,
         hasInitiatedSAMLLogin,
         isClientTheLeader,
+        hasAccountError,
     });
 
     if (shouldInitiateSAMLLogin) {
         setHasInitiatedSAMLLogin(true);
         Navigation.isNavigationReady().then(() => Navigation.navigate(ROUTES.SAML_SIGN_IN));
-    } else if (hasInitiatedSAMLLogin) {
+    } else if (hasInitiatedSAMLLogin && !hasAccountError) {
         // Return early because we're already navigating to a different page
         return;
     }

[fedirjh]

are you experiencing that only on mobile or also on web?

@NikkiWines I have not encountered this problem on the web. On the web, it redirects me to the production app, indicating that the app state is not preserved. Instead, a new, fresh state is constructed with the error data.

On mobile, however, the situation is different. The app state is preserved, and a new component (webView) is pushed to the screen. When the web-view is closed, the app restores the old login view along with its state. Therefore, we need to implement failure catch-up logic in that view.

Also if we remove the hasInitiatedSAMLLogin logic we'll get the [warn] SignInPage in unexpected state! - "" error when the user signs in using the SAML required flow.

Aha I see. So, that logic will handle the sign-in success case. It makes sense; we need to address both success and failure cases within the same flow.

What about something like:

I tried this solution but it didn't work. It seems account.errors is rested at some point during the flow.

[fedirjh]

Also if we remove the hasInitiatedSAMLLogin logic we'll get the [warn] SignInPage in unexpected state! - "" error when the user signs in using the SAML required flow.

@NikkiWines I guess this error comes from this line , I think we need to update that block to address the failure case:

App/src/pages/signin/SignInPage.js

Lines 239 to 241 in 79e89c2

	} else if (!shouldInitiateSAMLLogin) {
	Log.warn('SignInPage in unexpected state!');
	}

[NikkiWines]

Sorry for the delay here - had some simulator issues and then was out of office for the US holiday weekend. I'm unable to reproduce the behavior you're seeing with the blank screen, but I do see an issue where the user gets redirected to the oldDot error page instead. That's because of a re-routing issue on the backend, which I'll push a PR up shortly to fix.

Simulator.Screen.Recording.-.iPhone.15.Pro.-.2023-11-28.at.11.37.28.mp4

I'd rather get this PR out now so that the success flow works on production, and then do a follow up PR to more accurately handle failed sign-in cases. Given that, I can revert my commit that added the following logic:

    } else if (hasInitiatedSAMLLogin) {
        // Return early because we're already navigating to a different page
        return;

How does that sound?

[fedirjh]

That looks good to me. Let's address failed sign-in cases carefully in a follow-up PR.

[NikkiWines]

I lied, I was able to reproduce it. Updated some logic and it should be working now 🤞 🍀

[NikkiWines]

Found one small bug 🐛 adressing it now

[NikkiWines]

@MonilBhavsar tagged you in another PR 😅 but it's super short. Other than that I think this should be ready for a re-review. TY to you both for all the reviewing 🙇

[fedirjh]

Looks good to me. It seems all bugs are fixed:

Success Login

CleanShot.2023-11-29.at.01.49.56.mp4

Failed Login

CleanShot.2023-11-29.at.01.33.23.mp4

[fedirjh]

Looks good to me and tests well.

[melvin-bot]

@arosiclair Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[NikkiWines]

@fedirjh, I added a commit that removed a stray onyx key import per this discussion if you want to re-approve 🙏

Edit: Ooh wait nvm, looks like you don't have to!

[MonilBhavsar]

Merging main now should fix Jest tests

[NikkiWines]

travis is tests are passing now 🎊

[OSBotify]

✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release.

[OSBotify]

🚀 Cherry-picked to staging by https://github.com/yuwenmemon in version: 1.4.7-4 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅

@Expensify/applauseleads please QA this PR and check it off on the deploy checklist if it passes.

[OSBotify]

🚀 Deployed to staging by https://github.com/arosiclair in version: 1.4.8-0 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	cancelled 🔪
🕸 web 🕸	success ✅

[NikkiWines]

Just tested this on staging iOS and it worked great. Found one small bug where the keyboard stays up on the ChooseSSOOrMagicCode page when it should be hidden, but otherwise it was super smooth 🎊 🎊 🎊

[OSBotify]

🚀 Deployed to production by https://github.com/yuwenmemon in version: 1.4.8-3 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	failure ❌
🕸 web 🕸	success ✅

[OSBotify]

🚀 Deployed to production by https://github.com/yuwenmemon in version: 1.4.8-3 🚀

platform	result
🤖 android 🤖	success ✅
🖥 desktop 🖥	success ✅
🍎 iOS 🍎	success ✅
🕸 web 🕸	success ✅