[Security] Uphold linking modals should be combined and have privacy warning

[diracdeltas]

Discussed in https://github.com/brave/security/issues/72:

We currently show two different modals in brave://rewards for uphold wallet linking, depending on whether you already have a verified uphold account or if you have at least 25 BAT.

25 BAT screen:

already have a verified wallet:

1. We should consolidate these so that users see the same message no matter how they link their wallet.
2. The consolidated modal needs to have a message along the lines of, "If you verify your wallet, Uphold is able to see your tipping activity."

cc @NejcZdovc @evq

[mandar-brave]

@diracdeltas the second login only works for users that have an Uphold account; the entire idea of the second dialog is if they have had previously created the account.

When one links the wallet, the user explicitly sees the authorization - that is what Tom and we agreed to do clearly suggesting to the user that a) you are creating an account on Uphold as them being a Custodian and they have fiduciary duties and b) you are authorizing Brave to get XYZ access to your Uphold account.

@NejcZdovc @LaurenWags if you have the authorize screen handy, can you add to this ticket?

The message on image-1 needs a redo and I can get going on that; it makes sense.

I am trying to understand why have the same exact message when they re-login in to the system; may be change the Login to "Re-login". We can add the message but we can't have the same screen when the use cases are very different and are meant to do a different thing.

[NejcZdovc]

@mandar-brave did you mean this image?

[mandar-brave]

its the entire auth aspect including the scopes @NejcZdovc - this is just the text part of it.
thanks.

[diracdeltas]

@mandar-brave understood; regardless I think it's not clear to the user when they link their Uphold wallet (regardless of whether they already have an Uphold account) that this allows Uphold to see tipping activity. This has important privacy implications and should be clearly presented to the user.

[mandar-brave]

@diracdeltas nothing against the ask; wondering how we can pack each such transaction over time in to the UI, and then as we add more custodian providers.

The re-login page does force the user to go through an authorization page explicitly via Uphold (and that may be a better place to fix all text as well), so if they have not authenticated the Brave Browser one time, they have to irrespective of which modal they clicked in. So if the user signed up on Uphold but never authorized the Brave Browser, they have to do that. Fair call on the text, just feel its an overkill with multiple pages in play. And understand the hosted authorization page is in Uphold Custody.

My suggestion is we have a hosted redirect page that does this vs. having to stuff this in to modals which cannot take ever expanding context. the hosted page will allow us to control the text and story for each custodian globally with clear call outs for all of the pieces.

It has significant funnel conversion issues, but at a minimum we can reduce friction in terms of having to update new features in to the modal.

thoughts? cc @evq per chat yesterday

[diracdeltas]

My suggestion is we have a hosted redirect page that does this vs. having to stuff this in to modals which cannot take ever expanding context. the hosted page will allow us to control the text and story for each custodian globally with clear call outs for all of the pieces.

sgtm from a privacy/consent perspective

[mandar-brave]

@jenn-rhim @bradleyrichter lets talk

[LaurenWags]

@NejcZdovc @mandar-brave to confirm, this issue only covers the directive to have a note from 2 in the description

2. The consolidated modal needs to have a message along the lines of, "If you verify your wallet, Uphold is able to see your tipping activity."

This issue does not cover a consolidated modal for the two different scenarios, correct?

[NejcZdovc]

Correct at the end we didn't merge them, we just added notes

[LaurenWags]

Verified passed with

Brave | 1.18.62 Chromium: 87.0.4280.67 (Official Build) dev (x86_64)
-- | --
Revision | 0e5d92df40086cf0050c00f87b11da1b14580930-refs/branch-heads/4280@{#1441}
OS | macOS Version 10.14.6 (Build 18G6042)

Verified test plan from brave/brave-core#6926

Confirmed able to see the note on the Uphold 25 BAT verification message from both the panel and brave://rewards page:

Confirmed able to see the same message on the Verify Wallet modal:

---

Verification passed on

Brave | 1.18.66 Chromium: 87.0.4280.67 (Official Build) dev (64-bit)
-- | --
Revision | 0e5d92df40086cf0050c00f87b11da1b14580930-refs/branch-heads/4280@{#1441}
OS | Windows 10 OS Version 2004 (Build 19041.630)

Verified test plan from brave/brave-core#6926

Confirmed able to see the note on the Uphold 25 BAT verification message from both the panel and brave://rewards page:

Confirmed able to see the same message on the Verify Wallet modal:

---

Verification passed on

Brave	1.18.62 Chromium: 87.0.4280.67 (Official Build) dev (64-bit)
Revision	0e5d92df40086cf0050c00f87b11da1b14580930-refs/branch-heads/4280@{#1441}
OS	Ubuntu 18.04 LTS

Verified test plan from brave/brave-core#6926

Confirmed able to see the note on the Uphold 25 BAT verification message from both the panel and brave://rewards page:

Confirmed able to see the same message on the Verify Wallet modal: