Add frontend validation for distance expense amounts exceeding backend limit (v2)#83170
Merged
neil-marcellini merged 32 commits intomainfrom Mar 2, 2026
Merged
Add frontend validation for distance expense amounts exceeding backend limit (v2)#83170neil-marcellini merged 32 commits intomainfrom
neil-marcellini merged 32 commits intomainfrom
Conversation
melvin-bot
bot
requested review from
mananjadhav and
trjExpensify
and removed request for
a team and
trjExpensify
|
@mananjadhav Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button] |
53 tasks
Contributor
🦜 Polyglot Parrot! 🦜Squawk! Looks like you added some shiny new English strings. Allow me to parrot them back to you in other tongues: View the translation diffdiff --git a/src/languages/de.ts b/src/languages/de.ts
index b3f46b5f..50c92220 100644
--- a/src/languages/de.ts
+++ b/src/languages/de.ts
@@ -1312,10 +1312,10 @@ const translations: TranslationDeepObject<typeof en> = {
invalidDistance: 'Bitte gib eine gültige Entfernung ein, bevor du fortfährst',
invalidReadings: 'Bitte geben Sie sowohl Start- als auch Endstand ein',
negativeDistanceNotAllowed: 'Endstand muss größer als Anfangsstand sein',
- distanceAmountTooLarge: 'Der Gesamtbetrag ist zu hoch. Verringere die Entfernung oder reduziere den Satz.',
- distanceAmountTooLargeReduceDistance: 'Der Gesamtbetrag ist zu hoch. Verringere die Entfernung.',
- distanceAmountTooLargeReduceRate: 'Der Gesamtbetrag ist zu hoch. Reduziere den Satz.',
- odometerReadingTooLarge: (formattedMax: string) => `Kilometerstände dürfen ${formattedMax} nicht überschreiten.`,
+ distanceAmountTooLarge: 'Der Gesamtbetrag ist zu hoch. Verringern Sie die Entfernung oder senken Sie den Satz.',
+ distanceAmountTooLargeReduceDistance: 'Der Gesamtbetrag ist zu hoch. Verringern Sie die Entfernung.',
+ distanceAmountTooLargeReduceRate: 'Der Gesamtbetrag ist zu hoch. Senken Sie den Satz.',
+ odometerReadingTooLarge: (formattedMax: string) => `Kilometerzählerstände dürfen ${formattedMax} nicht überschreiten.`,
invalidIntegerAmount: 'Bitte gib einen vollen Dollarbetrag ein, bevor du fortfährst',
invalidTaxAmount: (amount: string) => `Der maximale Steuerbetrag ist ${amount}`,
invalidSplit: 'Die Summe der Aufteilungen muss dem Gesamtbetrag entsprechen',
diff --git a/src/languages/fr.ts b/src/languages/fr.ts
index d63753b4..cd3e4b1f 100644
--- a/src/languages/fr.ts
+++ b/src/languages/fr.ts
@@ -1318,8 +1318,8 @@ const translations: TranslationDeepObject<typeof en> = {
negativeDistanceNotAllowed: 'Le relevé de fin doit être supérieur au relevé de début',
distanceAmountTooLarge: 'Le montant total est trop élevé. Réduisez la distance ou diminuez le taux.',
distanceAmountTooLargeReduceDistance: 'Le montant total est trop élevé. Réduisez la distance.',
- distanceAmountTooLargeReduceRate: 'Le montant total est trop élevé. Diminuez le taux.',
- odometerReadingTooLarge: (formattedMax: string) => `Les lectures du compteur kilométrique ne peuvent pas dépasser ${formattedMax}.`,
+ distanceAmountTooLargeReduceRate: 'Le montant total est trop élevé. Réduisez le taux.',
+ odometerReadingTooLarge: (formattedMax: string) => `Les relevés du compteur kilométrique ne peuvent pas dépasser ${formattedMax}.`,
invalidIntegerAmount: 'Veuillez saisir un montant entier en dollars avant de continuer',
invalidTaxAmount: (amount: string) => `Le montant maximal de taxe est de ${amount}`,
invalidSplit: 'La somme des répartitions doit être égale au montant total',
diff --git a/src/languages/it.ts b/src/languages/it.ts
index 714ebdbb..dd397c12 100644
--- a/src/languages/it.ts
+++ b/src/languages/it.ts
@@ -1309,9 +1309,9 @@ const translations: TranslationDeepObject<typeof en> = {
invalidDistance: 'Inserisci una distanza valida prima di continuare',
invalidReadings: 'Inserisci sia la lettura iniziale che quella finale',
negativeDistanceNotAllowed: 'La lettura finale deve essere maggiore della lettura iniziale',
- distanceAmountTooLarge: "L'importo totale è troppo alto. Riduci la distanza o abbassa la tariffa.",
- distanceAmountTooLargeReduceDistance: "L'importo totale è troppo alto. Riduci la distanza.",
- distanceAmountTooLargeReduceRate: "L'importo totale è troppo alto. Abbassa la tariffa.",
+ distanceAmountTooLarge: 'L’importo totale è troppo alto. Riduci la distanza o abbassa la tariffa.',
+ distanceAmountTooLargeReduceDistance: "L'importo totale è troppo elevato. Riduci la distanza.",
+ distanceAmountTooLargeReduceRate: "L'importo totale è troppo alto. Riduci la tariffa.",
odometerReadingTooLarge: (formattedMax: string) => `Le letture del contachilometri non possono superare ${formattedMax}.`,
invalidIntegerAmount: 'Inserisci un importo in dollari intero prima di continuare',
invalidTaxAmount: (amount: string) => `L’importo massimo dell’imposta è ${amount}`,
diff --git a/src/languages/ja.ts b/src/languages/ja.ts
index d675b53e..5b8b2720 100644
--- a/src/languages/ja.ts
+++ b/src/languages/ja.ts
@@ -1303,10 +1303,10 @@ const translations: TranslationDeepObject<typeof en> = {
invalidDistance: '続行する前に有効な距離を入力してください',
invalidReadings: '開始値と終了値の両方を入力してください',
negativeDistanceNotAllowed: '終了値は開始値より大きくなければなりません',
- distanceAmountTooLarge: '合計金額が大きすぎます。距離を減らすか、レートを下げてください。',
- distanceAmountTooLargeReduceDistance: '合計金額が大きすぎます。距離を減らしてください。',
+ distanceAmountTooLarge: '合計金額が大きすぎます。距離を短くするか、レートを下げてください。',
+ distanceAmountTooLargeReduceDistance: '合計金額が大きすぎます。距離を短くしてください。',
distanceAmountTooLargeReduceRate: '合計金額が大きすぎます。レートを下げてください。',
- odometerReadingTooLarge: (formattedMax: string) => `オドメーターの読み取り値は${formattedMax}を超えることはできません。`,
+ odometerReadingTooLarge: (formattedMax: string) => `オドメーターの数値は ${formattedMax} を超えることはできません。`,
invalidIntegerAmount: '続行する前にドルの整数金額を入力してください',
invalidTaxAmount: (amount: string) => `最大税額は${amount}です`,
invalidSplit: '分割した金額の合計は合計金額と一致している必要があります',
diff --git a/src/languages/nl.ts b/src/languages/nl.ts
index ce230084..017938e4 100644
--- a/src/languages/nl.ts
+++ b/src/languages/nl.ts
@@ -1308,10 +1308,10 @@ const translations: TranslationDeepObject<typeof en> = {
invalidDistance: 'Voer een geldige afstand in voordat je verdergaat',
invalidReadings: 'Voer zowel de begin- als eindstanden in',
negativeDistanceNotAllowed: 'Eindstand moet hoger zijn dan beginstand',
- distanceAmountTooLarge: 'Het totale bedrag is te hoog. Verlaag de afstand of verlaag het tarief.',
- distanceAmountTooLargeReduceDistance: 'Het totale bedrag is te hoog. Verlaag de afstand.',
+ distanceAmountTooLarge: 'Het totale bedrag is te hoog. Verkort de afstand of verlaag het tarief.',
+ distanceAmountTooLargeReduceDistance: 'Het totale bedrag is te hoog. Verkort de afstand.',
distanceAmountTooLargeReduceRate: 'Het totale bedrag is te hoog. Verlaag het tarief.',
- odometerReadingTooLarge: (formattedMax: string) => `Kilometertellerstanden mogen niet hoger zijn dan ${formattedMax}.`,
+ odometerReadingTooLarge: (formattedMax: string) => `Kilometerstand kan niet hoger zijn dan ${formattedMax}.`,
invalidIntegerAmount: 'Voer een volledig dollarbedrag in voordat je doorgaat',
invalidTaxAmount: (amount: string) => `Maximale belastingbedrag is ${amount}`,
invalidSplit: 'De som van de splitsingen moet gelijk zijn aan het totale bedrag',
diff --git a/src/languages/pl.ts b/src/languages/pl.ts
index 106929ac..b315bbf0 100644
--- a/src/languages/pl.ts
+++ b/src/languages/pl.ts
@@ -1307,10 +1307,10 @@ const translations: TranslationDeepObject<typeof en> = {
invalidDistance: 'Wprowadź prawidłowy dystans przed kontynuowaniem',
invalidReadings: 'Wprowadź zarówno odczyt początkowy, jak i końcowy',
negativeDistanceNotAllowed: 'Końcowy odczyt musi być większy niż początkowy odczyt',
- distanceAmountTooLarge: 'Łączna kwota jest zbyt wysoka. Zmniejsz dystans lub obniż stawkę.',
- distanceAmountTooLargeReduceDistance: 'Łączna kwota jest zbyt wysoka. Zmniejsz dystans.',
+ distanceAmountTooLarge: 'Łączna kwota jest zbyt duża. Skróć dystans lub obniż stawkę.',
+ distanceAmountTooLargeReduceDistance: 'Łączna kwota jest zbyt wysoka. Zmniejsz odległość.',
distanceAmountTooLargeReduceRate: 'Łączna kwota jest zbyt wysoka. Obniż stawkę.',
- odometerReadingTooLarge: (formattedMax: string) => `Odczyty licznika nie mogą przekraczać ${formattedMax}.`,
+ odometerReadingTooLarge: (formattedMax: string) => `Odczyty z licznika nie mogą przekraczać ${formattedMax}.`,
invalidIntegerAmount: 'Przed kontynuowaniem wprowadź kwotę w pełnych dolarach',
invalidTaxAmount: (amount: string) => `Maksymalna kwota podatku to ${amount}`,
invalidSplit: 'Suma podziałów musi być równa całkowitej kwocie',
diff --git a/src/languages/pt-BR.ts b/src/languages/pt-BR.ts
index b55d8a69..d60b2e25 100644
--- a/src/languages/pt-BR.ts
+++ b/src/languages/pt-BR.ts
@@ -1305,10 +1305,10 @@ const translations: TranslationDeepObject<typeof en> = {
invalidDistance: 'Insira uma distância válida antes de continuar',
invalidReadings: 'Insira as leituras de início e fim',
negativeDistanceNotAllowed: 'A leitura final deve ser maior que a leitura inicial',
- distanceAmountTooLarge: 'O valor total é muito alto. Diminua a distância ou reduza a tarifa.',
- distanceAmountTooLargeReduceDistance: 'O valor total é muito alto. Diminua a distância.',
- distanceAmountTooLargeReduceRate: 'O valor total é muito alto. Reduza a tarifa.',
- odometerReadingTooLarge: (formattedMax: string) => `As leituras do hodômetro não podem exceder ${formattedMax}.`,
+ distanceAmountTooLarge: 'O valor total é muito alto. Reduza a distância ou diminua a tarifa.',
+ distanceAmountTooLargeReduceDistance: 'O valor total é muito alto. Reduza a distância.',
+ distanceAmountTooLargeReduceRate: 'O valor total é muito alto. Reduza a taxa.',
+ odometerReadingTooLarge: (formattedMax: string) => `As leituras do odômetro não podem exceder ${formattedMax}.`,
invalidIntegerAmount: 'Insira um valor inteiro em dólares antes de continuar',
invalidTaxAmount: (amount: string) => `O valor máximo de imposto é ${amount}`,
invalidSplit: 'A soma das divisões deve ser igual ao valor total',
diff --git a/src/languages/zh-hans.ts b/src/languages/zh-hans.ts
index 6f216310..9d7c72c4 100644
--- a/src/languages/zh-hans.ts
+++ b/src/languages/zh-hans.ts
@@ -1282,10 +1282,10 @@ const translations: TranslationDeepObject<typeof en> = {
invalidDistance: '请在继续之前输入有效的距离',
invalidReadings: '请输入起始读数和结束读数',
negativeDistanceNotAllowed: '结束读数必须大于开始读数',
- distanceAmountTooLarge: '总金额过大。请减少距离或降低费率。',
+ distanceAmountTooLarge: '总金额过大。请缩短距离或降低费率。',
distanceAmountTooLargeReduceDistance: '总金额过大。请减少距离。',
distanceAmountTooLargeReduceRate: '总金额过大。请降低费率。',
- odometerReadingTooLarge: (formattedMax: string) => `里程表读数不能超过${formattedMax}。`,
+ odometerReadingTooLarge: (formattedMax: string) => `里程表读数不能超过 ${formattedMax}。`,
invalidIntegerAmount: '请在继续之前输入一个整数美元金额',
invalidTaxAmount: (amount: string) => `最高税额为 ${amount}`,
invalidSplit: '拆分金额之和必须等于总金额',
Note You can apply these changes to your branch by copying the patch to your clipboard, then running |
…d limit Extreme odometer/distance values can produce amounts exceeding the backend WAF's 12-digit limit (999,999,999,999 cents). When this happens, the WAF silently strips the amount parameter, causing null amount exceptions during transaction merge. This adds client-side validation to all distance expense entry points: - Odometer page (IOURequestStepDistanceOdometer) - Manual distance page (IOURequestStepDistanceManual) - Confirmation list (MoneyRequestConfirmationList) for map/GPS/all types Also adds a new isDistanceAmountWithinLimit utility in DistanceRequestUtils and localized error messages in all 10 language files.
Changes single-quoted string with escaped apostrophe to double-quoted string in the distanceAmountTooLarge translation, matching Prettier's formatting rules. Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
When editing the rate on an existing distance expense, validate that the new rate combined with the existing distance does not exceed the backend WAF's 12-digit limit (999,999,999,999 cents). Shows the same distanceAmountTooLarge error message used in the creation flow. Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
…idation error When selecting a rate that causes the distance amount to exceed the backend limit, the page now keeps the problematic rate shown as selected (via local pendingRateID state) instead of reverting to the previously stored rate. This makes the error context clear to the user. Selecting a valid rate clears the error and navigates back normally. Hitting back without fixing leaves the server-stored rate unchanged. Also moved the validation check before tax state updates so that an invalid rate selection does not produce side effects on tax amount/code. Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
On distance pages (odometer/manual), show "Reduce the distance" only. On the rate page, show "Lower the rate" only. The confirmation page keeps the general message mentioning both. Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
The odometer start/end TextInput fields had no character length limit, allowing users to enter unreasonably large values. Add CONST.IOU.ODOMETER_MAX_LENGTH (10 chars, supporting up to 9999999.99) and apply it to both odometer TextInput fields. Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
maxLength alone is a character count limit, not a numeric limit. 9999999.99 is 10 characters but far exceeds 999,999. Add an explicit numeric check against ODOMETER_MAX_VALUE (999,999) in handleNext() and reduce ODOMETER_MAX_LENGTH from 10 to 9 as a UX guardrail. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Commercial vehicles can exceed 1M miles, so raise ODOMETER_MAX_VALUE to 9,999,999.9 with 1 decimal place. Commas are now stripped as thousand separators instead of converted to decimal points. ODOMETER_MAX_LENGTH raised to 11 (7 digits + 2 commas + dot + 1 decimal). Co-authored-by: Cursor <cursoragent@cursor.com>
Use replaceAllDigits + fromLocaleDigit to convert locale-specific input to standard format (e.g., European "1.234,5" → "1234.5"). Update error messages to show the actual max of 9,999,999.9 with locale-appropriate decimal separators in all 10 languages. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
Display values with commas (e.g., 9,999,999.9) as the user types. Strip commas before all parseFloat calls so numeric operations work correctly. Fixes amount=0 bug caused by parseFloat stopping at commas. Co-authored-by: Cursor <cursoragent@cursor.com>
…er-string-replace-all rule Co-authored-by: Neil Marcellini <neil-marcellini@users.noreply.github.com>
Don't auto-format or restrict what the user types. Accept numbers, commas, and periods freely. Parse using locale-aware digit conversion on submit and validate the numeric value against ODOMETER_MAX_VALUE. Remove maxLength and ODOMETER_MAX_LENGTH since validation is now purely numeric. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
Reviewer Checklist
Screenshots/VideosAndroid: HybridAppScreen.Recording.2026-02-27.at.4.24.49.AM.movAndroid: mWeb ChromeScreen.Recording.2026-02-27.at.4.30.16.AM.moviOS: HybridAppScreen.Recording.2026-02-27.at.4.07.44.AM.moviOS: mWeb SafariScreen.Recording.2026-02-27.at.4.15.21.AM.movScreen.Recording.2026-02-27.at.4.19.02.AM.movMacOS: Chrome / SafariScreen.Recording.2026-02-27.at.1.57.25.AM.mov |
|
|
||
| navigateToNextPage(value); | ||
| }, [navigateToNextPage, translate, report, iouType, currentUserAccountIDParam]); | ||
| }, [navigateToNextPage, translate, report, iouType, currentUserAccountIDParam, rate]); |
Contributor
There was a problem hiding this comment.
This PR refactored the function body but missed to remove the unnecessary dependencies here.
Unused dependencies are safe to remove.
|
@MonilBhavsar Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button] |
|
🎯 @ChavdaSachin, thanks for reviewing and testing this PR! 🎉 An E/App issue has been created to issue payment here: #83636. |
report, iouType, and currentUserAccountIDParam are not referenced in the callback body — they were left over from before the refactor moved logic into navigateToNextPage. Made-with: Cursor
MonilBhavsar
approved these changes
Mar 2, 2026
Contributor
MonilBhavsar
left a comment
MonilBhavsar
left a comment
There was a problem hiding this comment.
@Julesssss all yours
Contributor
|
🚧 @neil-marcellini has triggered a test Expensify/App build. You can view the workflow run here. |
Contributor
|
🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
|
Contributor
|
✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release. |
Contributor
|
🚀 Deployed to staging by https://github.com/neil-marcellini in version: 9.3.31-0 🚀
|
|
Deploy Blocker #84177 was identified to be related to this PR. |
7 tasks
|
Deploy Blocker ##84220 was identified to be related to this PR. |
7 tasks
7 tasks
|
This PR failing because of the issue #84273 |
Contributor
|
@ChavdaSachin could you look into the related issues please (just this one), I have closed two of the others. |
Contributor
|
Yes @Julesssss, this bug was already reported by me - here. |
Contributor
|
🚀 Deployed to production by https://github.com/blimpich in version: 9.3.31-12 🚀
|
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(Neil's AI agent)
This is a clean v2 of #82971, with duplicate commits removed.
Explanation of Change
Extreme odometer or manual distance values can produce expense amounts that exceed the backend WAF's 12-digit limit (999,999,999,999 cents). When this happens, the WAF silently strips the
amountparameter from the API request, causing anull amountexception duringTransaction_Merge(ExpException atapi.php:1686).This PR adds client-side validation to prevent users from submitting distance expenses with amounts that would exceed the backend limit.
Amount validation (distance × rate):
MAX_SAFE_AMOUNT: 999999999999constant toCONST.IOUmatching the backend WAF regex limitisDistanceAmountWithinLimit(distance, rate)utility inDistanceRequestUtilsOdometer reading limits:
ODOMETER_MAX_VALUE: 9999999.9— max reading of 9,999,999.9 to support commercial vehiclesLocale-aware input parsing:
replaceAllDigits+fromLocaleDigitso European formats (e.g., German1.234.567,9) are handled correctlynumberFormatto display the max value in the user's localeRate edit UX:
pendingRateIDstate)Localization:
odometerReadingTooLargeuses a function with locale-formatted max value instead of hardcoded numbersFixed Issues
$ https://github.com/Expensify/Expensify/issues/601062
Tests
Create flow
2026-02-19_17-53-02.mp4
Update flow
2026-02-20_18-16-11.mp4
2026-02-20_18-20-48.mp4
Test with odometer expenses too
2026-02-22_08-49-44.mp4
Offline tests
No offline-specific behavior changes — validation is purely client-side before any API call.
QA Steps
Same as tests
PR Author Checklist
### Fixed Issuessection aboveTestssectionOffline stepssectionQA stepssectioncanBeMissingparam foruseOnyxtoggleReportand notonIconClick)src/languages/*files and using the translation methodSTYLE.md) were followedAvatar, I verified the components usingAvatarare working as expected)StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))npm run compress-svg)Avataris modified, I verified thatAvataris working as expected in all cases)Designlabel and/or tagged@Expensify/designso the design team can review the changes.ScrollViewcomponent to make it scrollable when more elements are added to the page.mainbranch was merged into this PR after a review, I tested again and verified the outcome was still expected according to theTeststeps.Screenshots/Videos
No platform specific changes. See the videos in the tests section.
Android: Native
Android: mWeb Chrome
iOS: Native
iOS: mWeb Safari
MacOS: Chrome / Safari
Made with Cursor