Bring back Replace Two Factor Device Flow

[chuckdries]

Explanation of Change

This PR reinstates #79266, adding protection against #84986

Fixed Issues

$ https://github.com/Expensify/Expensify/issues/583049
PROPOSAL:

Tests

Happy path

1. Configure two-factor authentication on a user
2. Go to Account > Security > Two-factor authentication
3. Press Replace device
4. Enter the code from your authenticator app
5. Observe that it shows you a new QR code and secret
6. Enter the new secret into your authenticator app
7. Enter the new code from your authenticator app
8. Observe that you see the success screen
9. Log out, then log back in
10. Observe that the code from your authenticator app allows you to log in

Invalid codes are rejected

1. Configure two-factor authentication on a user
2. Go to Account > Security > Two-factor authentication
3. Press Replace device
4. Enter 6 random numbers, or all zeros
5. Observe an error message is displayed
6. Enter the actual code from your authenticator app
7. Observe that it navigates to the QR code screen
8. On the QR code screen, enter 6 random digits
9. Observe an error message is displayed
10. Enter the code from your authenticator app. do not put the new secret into your authenticator app yet. This step is testing that this screen rejects a valid code from the old secret
11. Observe that "Invalid code" error is displayed

Invalid code error is cleared when user leaves page

1. Go to Account > Security > Two-factor authentication
2. Press Replace device
3. Enter 6 random numbers, or all zeros
4. Observe an error message is displayed
5. Close the RHP
6. Click the Two-factor authentication
7. Press Replace device
8. Observe that Invalid code error is not displayed

• Verify that no errors appear in the JS console

Offline tests

N/A

QA Steps

Same as tests

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I used JaimeGPT to get English > Spanish translation. I then posted it in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
• If new assets were added or existing ones were modified, I verified that:
  • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
  • The assets load correctly across all supported platforms.
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
• I verified that similar component doesn't exist in the codebase
• I verified that all props are defined accurately and each prop has a /** comment above it */
• I verified that each file is named correctly
• I verified that each component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
• I verified that the only data being stored in component state is data necessary for rendering and nothing else
• In component if we are not using the full Onyx data that we loaded, I've added the proper selector in order to ensure the component only re-renders when the data it is using changes
• For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
• I verified that component internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
• I verified that all JSX used for rendering exists in the render method
• I verified that each component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions

Screenshots/Videos

Android: Native

replace.2fa.device.android.native.mp4

iOS: Native

replace.2fa.device.ios.native.mp4

iOS: mWeb Safari

replace.2fa.device.mobile.safari.mp4

MacOS: Chrome / Safari

replace.2fa.happy.path.mp4

invalid.code.errors.appear.and.are.cleared.mp4

[melvin-bot]

@shubham1206agra Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[OSBotify]

🦜 Polyglot Parrot! 🦜

Squawk! Looks like you added some shiny new English strings. Allow me to parrot them back to you in other tongues:

View the translation diff

diff --git a/src/languages/de.ts b/src/languages/de.ts
index 586a66b5..06933ab0 100644
--- a/src/languages/de.ts
+++ b/src/languages/de.ts
@@ -2118,9 +2118,9 @@ const translations: TranslationDeepObject<typeof en> = {
         replaceDevice: 'Gerät ersetzen',
         replaceDeviceTitle: 'Zwei-Faktor-Gerät ersetzen',
         verifyOldDeviceTitle: 'Altes Gerät verifizieren',
-        verifyOldDeviceDescription: 'Gib den sechsstelligen Code aus deiner aktuellen Authenticator-App ein, um zu bestätigen, dass du Zugriff darauf hast.',
+        verifyOldDeviceDescription: 'Geben Sie den sechsstelligen Code aus Ihrer aktuellen Authentifizierungs-App ein, um zu bestätigen, dass Sie Zugriff darauf haben.',
         verifyNewDeviceTitle: 'Neues Gerät einrichten',
-        verifyNewDeviceDescription: 'Scanne den QR-Code mit deinem neuen Gerät und gib dann den Code ein, um die Einrichtung abzuschließen.',
+        verifyNewDeviceDescription: 'Scannen Sie den QR-Code mit Ihrem neuen Gerät und geben Sie dann den Code ein, um die Einrichtung abzuschließen.',
     },
     recoveryCodeForm: {
         error: {
diff --git a/src/languages/fr.ts b/src/languages/fr.ts
index 5ea1749a..9eb76431 100644
--- a/src/languages/fr.ts
+++ b/src/languages/fr.ts
@@ -2124,7 +2124,7 @@ const translations: TranslationDeepObject<typeof en> = {
         replaceDevice: 'Remplacer l’appareil',
         replaceDeviceTitle: 'Remplacer l’appareil d’authentification à deux facteurs',
         verifyOldDeviceTitle: 'Vérifier l’ancien appareil',
-        verifyOldDeviceDescription: 'Saisissez le code à six chiffres depuis votre application d’authentification actuelle pour confirmer que vous y avez accès.',
+        verifyOldDeviceDescription: 'Saisissez le code à six chiffres de votre application d’authentification actuelle pour confirmer que vous y avez accès.',
         verifyNewDeviceTitle: 'Configurer un nouvel appareil',
         verifyNewDeviceDescription: 'Scannez le code QR avec votre nouvel appareil, puis saisissez le code pour terminer la configuration.',
     },
diff --git a/src/languages/it.ts b/src/languages/it.ts
index be044800..4a48f4bd 100644
--- a/src/languages/it.ts
+++ b/src/languages/it.ts
@@ -2113,11 +2113,11 @@ const translations: TranslationDeepObject<typeof en> = {
         twoFactorAuthCannotDisable: "Impossibile disabilitare l'autenticazione a due fattori",
         twoFactorAuthRequired: 'Per la connessione a Xero è richiesta l’autenticazione a due fattori (2FA) e non può essere disattivata.',
         replaceDevice: 'Sostituisci dispositivo',
-        replaceDeviceTitle: "Sostituisci dispositivo per l'autenticazione a due fattori",
-        verifyOldDeviceTitle: 'Verifica dispositivo precedente',
-        verifyOldDeviceDescription: 'Inserisci il codice a sei cifre dalla tua attuale app di autenticazione per confermare di avere accesso ad essa.',
+        replaceDeviceTitle: 'Sostituisci dispositivo a due fattori',
+        verifyOldDeviceTitle: 'Verifica il vecchio dispositivo',
+        verifyOldDeviceDescription: 'Inserisci il codice a sei cifre dalla tua attuale app di autenticazione per confermare che hai accesso ad essa.',
         verifyNewDeviceTitle: 'Configura nuovo dispositivo',
-        verifyNewDeviceDescription: 'Scansiona il codice QR con il tuo nuovo dispositivo, quindi inserisci il codice per completare la configurazione.',
+        verifyNewDeviceDescription: 'Scansiona il codice QR con il tuo nuovo dispositivo, poi inserisci il codice per completare la configurazione.',
     },
     recoveryCodeForm: {
         error: {
diff --git a/src/languages/ja.ts b/src/languages/ja.ts
index 3c2e0df0..34ccb095 100644
--- a/src/languages/ja.ts
+++ b/src/languages/ja.ts
@@ -2100,11 +2100,11 @@ const translations: TranslationDeepObject<typeof en> = {
         twoFactorAuthCannotDisable: '2要素認証を無効にできません',
         twoFactorAuthRequired: 'Xero 連携には二要素認証（2FA）が必須で、無効にすることはできません。',
         replaceDevice: 'デバイスを交換',
-        replaceDeviceTitle: '2 要素認証デバイスを交換',
-        verifyOldDeviceTitle: '古いデバイスを確認',
+        replaceDeviceTitle: '2 要素認証デバイスを変更',
+        verifyOldDeviceTitle: '古い端末を確認',
         verifyOldDeviceDescription: '現在使用している認証アプリに表示されている6桁のコードを入力して、アクセスできることを確認してください。',
-        verifyNewDeviceTitle: '新しいデバイスをセットアップ',
-        verifyNewDeviceDescription: '新しいデバイスでQRコードをスキャンし、その後コードを入力して設定を完了してください。',
+        verifyNewDeviceTitle: '新しいデバイスを設定',
+        verifyNewDeviceDescription: '新しいデバイスでQRコードをスキャンし、表示されたコードを入力して設定を完了してください。',
     },
     recoveryCodeForm: {
         error: {
diff --git a/src/languages/nl.ts b/src/languages/nl.ts
index 2a9050ae..6993d5a0 100644
--- a/src/languages/nl.ts
+++ b/src/languages/nl.ts
@@ -2110,11 +2110,11 @@ const translations: TranslationDeepObject<typeof en> = {
         twoFactorAuthCannotDisable: 'Kan 2FA niet uitschakelen',
         twoFactorAuthRequired: 'Tweestapsverificatie (2FA) is vereist voor je Xero-verbinding en kan niet worden uitgeschakeld.',
         replaceDevice: 'Apparaat vervangen',
-        replaceDeviceTitle: 'Twee-factorapparaat vervangen',
+        replaceDeviceTitle: 'Tweefactorauthenticatie-apparaat vervangen',
         verifyOldDeviceTitle: 'Oud apparaat verifiëren',
-        verifyOldDeviceDescription: 'Voer de zescijferige code uit je huidige authenticator-app in om te bevestigen dat je er toegang toe hebt.',
+        verifyOldDeviceDescription: 'Voer de zescijferige code uit je huidige authenticator-app in om te bevestigen dat je daar toegang toe hebt.',
         verifyNewDeviceTitle: 'Nieuw apparaat instellen',
-        verifyNewDeviceDescription: 'Scan de QR-code met je nieuwe apparaat en voer vervolgens de code in om de installatie te voltooien.',
+        verifyNewDeviceDescription: 'Scan de QR-code met je nieuwe apparaat en voer daarna de code in om de installatie te voltooien.',
     },
     recoveryCodeForm: {
         error: {
diff --git a/src/languages/pl.ts b/src/languages/pl.ts
index 93c25eb1..7c02226f 100644
--- a/src/languages/pl.ts
+++ b/src/languages/pl.ts
@@ -2110,11 +2110,11 @@ const translations: TranslationDeepObject<typeof en> = {
         twoFactorAuthCannotDisable: 'Nie można wyłączyć 2FA',
         twoFactorAuthRequired: 'Dla połączenia z Xero wymagana jest weryfikacja dwuetapowa (2FA) i nie można jej wyłączyć.',
         replaceDevice: 'Zastąp urządzenie',
-        replaceDeviceTitle: 'Wymień urządzenie uwierzytelniania dwuskładnikowego',
+        replaceDeviceTitle: 'Zastąp urządzenie dwuetapowej weryfikacji',
         verifyOldDeviceTitle: 'Zweryfikuj stare urządzenie',
-        verifyOldDeviceDescription: 'Wprowadź sześciocyfrowy kod z bieżącej aplikacji uwierzytelniającej, aby potwierdzić, że masz do niej dostęp.',
+        verifyOldDeviceDescription: 'Wpisz sześciocyfrowy kod z bieżącej aplikacji uwierzytelniającej, żeby potwierdzić, że masz do niej dostęp.',
         verifyNewDeviceTitle: 'Skonfiguruj nowe urządzenie',
-        verifyNewDeviceDescription: 'Zeskanuj kod QR swoim nowym urządzeniem, a następnie wprowadź kod, aby zakończyć konfigurację.',
+        verifyNewDeviceDescription: 'Zeskanuj kod QR nowym urządzeniem, a następnie wpisz ten kod, aby zakończyć konfigurację.',
     },
     recoveryCodeForm: {
         error: {
diff --git a/src/languages/pt-BR.ts b/src/languages/pt-BR.ts
index 950d6c16..fc4f6485 100644
--- a/src/languages/pt-BR.ts
+++ b/src/languages/pt-BR.ts
@@ -2106,11 +2106,11 @@ const translations: TranslationDeepObject<typeof en> = {
         twoFactorAuthCannotDisable: 'Não é possível desativar a 2FA',
         twoFactorAuthRequired: 'A autenticação em duas etapas (2FA) é obrigatória para sua conexão com o Xero e não pode ser desativada.',
         replaceDevice: 'Substituir dispositivo',
-        replaceDeviceTitle: 'Substituir dispositivo de autenticação em duas etapas',
+        replaceDeviceTitle: 'Substituir dispositivo de dois fatores',
         verifyOldDeviceTitle: 'Verificar dispositivo antigo',
-        verifyOldDeviceDescription: 'Insira o código de seis dígitos do seu aplicativo autenticador atual para confirmar que você tem acesso a ele.',
+        verifyOldDeviceDescription: 'Digite o código de seis dígitos do seu aplicativo autenticador atual para confirmar que você tem acesso a ele.',
         verifyNewDeviceTitle: 'Configurar novo dispositivo',
-        verifyNewDeviceDescription: 'Escaneie o código QR com seu novo dispositivo e, em seguida, insira o código para concluir a configuração.',
+        verifyNewDeviceDescription: 'Escaneie o código QR com seu novo dispositivo e depois insira o código para concluir a configuração.',
     },
     recoveryCodeForm: {
         error: {
diff --git a/src/languages/zh-hans.ts b/src/languages/zh-hans.ts
index 87a48fcc..dcd25a4a 100644
--- a/src/languages/zh-hans.ts
+++ b/src/languages/zh-hans.ts
@@ -2074,9 +2074,9 @@ const translations: TranslationDeepObject<typeof en> = {
         replaceDevice: '更换设备',
         replaceDeviceTitle: '更换双重验证设备',
         verifyOldDeviceTitle: '验证旧设备',
-        verifyOldDeviceDescription: '请输入您当前身份验证器应用中的六位数验证码，以确认您可以访问该应用。',
+        verifyOldDeviceDescription: '请输入您当前身份验证器应用中的六位数验证码，以确认您仍可访问该应用。',
         verifyNewDeviceTitle: '设置新设备',
-        verifyNewDeviceDescription: '使用新设备扫描二维码，然后输入代码以完成设置。',
+        verifyNewDeviceDescription: '使用新设备扫描二维码，然后输入代码完成设置。',
     },
     recoveryCodeForm: {
         error: {

Note

You can apply these changes to your branch by copying the patch to your clipboard, then running pbpaste | git apply 😉

View workflow run

[github-actions]

❌ CONSISTENCY-5 (docs)

This eslint-disable-next-line no-restricted-imports lacks a justification comment explaining why the restricted import is necessary here.

Add a comment explaining the reason, for example:

// eslint-disable-next-line no-restricted-imports -- We need the RN ScrollView type for the ref, but the component import uses @components/ScrollView
import type {ScrollView as RNScrollView} from 'react-native';

---

Please rate this suggestion with 👍 or 👎 to help us improve! Reactions are used to monitor reviewer efficiency.

[github-actions]

❌ CONSISTENCY-5 (docs)

This eslint-disable-next-line @typescript-eslint/no-deprecated lacks a justification comment explaining why the deprecated API is being used.

Add a comment explaining the reason, for example:

// eslint-disable-next-line @typescript-eslint/no-deprecated -- InteractionManager.runAfterInteractions is needed to defer scroll until animations complete; no non-deprecated alternative available
InteractionManager.runAfterInteractions(() => {

---

Please rate this suggestion with 👍 or 👎 to help us improve! Reactions are used to monitor reviewer efficiency.

[github-actions]

❌ CONSISTENCY-2 (docs)

The number 16 is a magic number representing the expected length of a TOTP secret key. It should be extracted to a named constant for clarity.

Define a constant in CONST or at the top of this file:

const TOTP_SECRET_KEY_LENGTH = 16;

function splitSecretInChunks(secret: string): string {
    if (secret.length !== TOTP_SECRET_KEY_LENGTH) {
        return secret;
    }
    // ...
}

---

Please rate this suggestion with 👍 or 👎 to help us improve! Reactions are used to monitor reviewer efficiency.

[github-actions]

❌ CONSISTENCY-3 (docs)

The splitSecretInChunks and buildAuthenticatorUrl functions extracted here are exact duplicates of the local functions already defined in src/pages/settings/Security/TwoFactorAuth/VerifyPage.tsx (lines 61-75). The new TwoFactorAuthSecretDisplay component correctly imports from this shared utility, but VerifyPage.tsx was not updated to also use it, leaving duplicate implementations in the codebase.

Update VerifyPage.tsx to import from the new shared utility and remove its local copies:

import {buildAuthenticatorUrl, splitSecretInChunks} from '@libs/TwoFactorAuthUtils';

---

Please rate this suggestion with 👍 or 👎 to help us improve! Reactions are used to monitor reviewer efficiency.

[github-actions]

❌ CONSISTENCY-3 (docs)

This new TwoFactorAuthSecretDisplay component renders the QR code, secret key text, and copy button -- the exact same UI pattern already present in src/pages/settings/Security/TwoFactorAuth/VerifyPage.tsx (lines 109-136). However, VerifyPage.tsx was not updated to use this new shared component, leaving significant duplication of the secret key display logic.

Consider updating VerifyPage.tsx to use TwoFactorAuthSecretDisplay for its QR code and secret key section, consolidating the duplicated rendering logic into the shared component.

---

Please rate this suggestion with 👍 or 👎 to help us improve! Reactions are used to monitor reviewer efficiency.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e1d43d2073

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[lakchote]

@chuckdries can you take a look at codex comments above, please?

[codecov]

Codecov Report

✅ Changes either increased or maintained existing code coverage, great job!

Files with missing lines	Coverage Δ
src/CONST/index.ts	93.54% <ø> (ø)
src/ROUTES.ts	15.92% <ø> (+0.07%)	⬆️
src/SCREENS.ts	100.00% <ø> (ø)
src/libs/API/types.ts	100.00% <ø> (ø)
...igation/linkingConfig/RELATIONS/SETTINGS_TO_RHP.ts	100.00% <ø> (ø)
src/libs/Navigation/linkingConfig/config.ts	75.00% <ø> (ø)
src/libs/TwoFactorAuthUtils.ts	100.00% <100.00%> (ø)
...gs/Security/TwoFactorAuth/TwoFactorAuthWrapper.tsx	0.00% <ø> (ø)
src/styles/index.ts	47.42% <ø> (ø)
.../components/Pressable/PressableWithDelayToggle.tsx	0.00% <0.00%> (ø)
... and 6 more
... and 75 files with indirect coverage changes

[brunovjk]

Reviewer Checklist

• I have verified the author checklist is complete (all boxes are checked off).
• I verified the correct issue is linked in the ### Fixed Issues section above
• I verified testing steps are clear and they cover the changes made in this PR
  • I verified the steps for local testing are in the Tests section
  • I verified the steps for Staging and/or Production testing are in the QA steps section
  • I verified the steps cover any possible failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
• I checked that screenshots or videos are included for tests on all platforms
• I included screenshots or videos for tests on all platforms
• I verified that the composer does not automatically focus or open the keyboard on mobile unless explicitly intended. This includes checking that returning the app from the background does not unexpectedly open the keyboard.
• I verified tests pass on all platforms & I tested again on:
  • Android: HybridApp
  • Android: mWeb Chrome
  • iOS: HybridApp
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
• If there are any errors in the console that are unrelated to this PR, I either fixed them (preferred) or linked to where I reported them in Slack
• I verified proper code patterns were followed (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick).
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I verified that this PR follows the guidelines as stated in the Review Guidelines
• I verified other components that can be impacted by these changes have been tested, and I retested again (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar have been tested & I retested again)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• If a new component is created I verified that:
  • A similar component doesn't exist in the codebase
  • All props are defined accurately and each prop has a /** comment above it */
  • The file is named correctly
  • The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
  • The only data being stored in the state is data necessary for rendering and nothing else
  • For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
  • Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
  • All JSX used for rendering exists in the render method
  • The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG)
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• For any bug fix or new feature in this PR, I verified that sufficient unit tests are included to prevent regressions in this flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
• I have checked off every checkbox in the PR reviewer checklist, including those that don't apply to this PR.

Screenshots/Videos

Android: HybridApp

Android: mWeb Chrome

iOS: HybridApp

iOS: mWeb Safari

MacOS: Chrome / Safari

564173715-dacef0cb-697d-4708-9d68-99e52a4288f6.mov

[brunovjk]

@chu everything seems fine to me, I can't reproduce any more bugs:

Screen.Recording.2026-03-16.at.10.53.26.mov

However, do you think we can add some unit tests? We also have some conflicts here. Thank you very much.

[lakchote]

@brunovjk can you finish your review please? 🙏

[melvin-bot]

@roryabraham Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[melvin-bot]

🎯 @brunovjk, thanks for reviewing and testing this PR! 🎉

An E/App issue has been created to issue payment here: #85670.

[lakchote]

LGTM

[github-actions]

🚧 @lakchote has triggered a test Expensify/App build. You can view the workflow run here.

[github-actions]

🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
Built from App PR #85134.

Android 🤖	iOS 🍎
https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-android-Adhoc-a22c326-9a6f3c4-86af1c66ceede0ed548d7bfb643f15e22626372b/index.html	https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-ios-device-AdHoc-a22c326-9a6f3c4-c78cf070e8f943fd0679badebcc3f4c0f394436b/index.html

Web 🕸️
https://85134.pr-testing.expensify.com

---

👀 View the workflow run that generated this build 👀

[OSBotify]

🚀 Deployed to staging by https://github.com/lakchote in version: 9.3.41-0 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅

Bundle Size Analysis (Sentry):

• Android
• iOS

[OSBotify]

🚀 Deployed to production by https://github.com/cristipaval in version: 9.3.41-4 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅