[Payment due @truph01] Clear stale billing grace period optimistically on restricted action page

[MelvinBot]

Explanation of Change

When a workspace is restricted due to a billing issue, the WorkspaceRestrictedActionPage calls openSubscriptionPage() to fetch fresh billing data from the server. However, the cached SHARED_NVP_PRIVATE_USER_BILLING_GRACE_PERIOD_END collection entry for the workspace owner was never cleared optimistically on the client. This means if the server response doesn't explicitly update/clear these keys (or if there's any caching delay), the stale grace period data keeps the workspace restricted even after the owner has resolved their billing issue.

This fix adds an optimistic Onyx update to openSubscriptionPage that nulls out the owner's billing grace period entry before the API call. If the server still has an active grace period, it will be restored from the response. If billing was resolved, it stays null and the restriction lifts immediately.

Fixed Issues

$ https://github.com/Expensify/Expensify/issues/597281

Tests

1. Have a workspace where the owner has a billing issue (grace period expired)
2. Verify the workspace shows the restricted action page
3. Resolve the billing issue (e.g., update payment method)
4. Navigate back to the workspace in New Expensify
5. Verify the restricted action page loads briefly (loading indicator), then navigates back as the restriction is lifted
6. Verify switching between Classic and New Expensify shows consistent restriction status

• Verify that no errors appear in the JS console

Offline tests

1. Put the device offline
2. Navigate to a restricted workspace
3. Verify the restriction page shows without a loading spinner (since API calls won't go through)
4. Put the device back online
5. Verify openSubscriptionPage fires via onReconnect and the restriction lifts if billing was resolved

QA Steps

1. Find or create a workspace with an expired billing grace period
2. Resolve the billing issue on the backend
3. In New Expensify, navigate to the restricted workspace
4. Verify the restriction page briefly shows a loading indicator, then navigates back (restriction lifted)
5. Verify Classic Expensify shows the same non-restricted state

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I used JaimeGPT to get English > Spanish translation. I then posted it in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
• If new assets were added or existing ones were modified, I verified that:
  • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
  • The assets load correctly across all supported platforms.
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native

N/A - no visual changes, logic-only fix

Android: mWeb Chrome

N/A - no visual changes, logic-only fix

iOS: Native

N/A - no visual changes, logic-only fix

iOS: mWeb Safari

N/A - no visual changes, logic-only fix

MacOS: Chrome / Safari

N/A - no visual changes, logic-only fix

[MelvinBot]

Fixed the failing typecheck: OnyxUpdate now requires a type argument, so the untyped OnyxUpdate[] on optimisticData was invalid. Moved the grace period clear to a direct Onyx.set() call and restored proper typing on the array.

[rushatgabhane]

@MelvinBot fix Type widening from Array<OnyxUpdate> to OnyxUpdate[]

[MelvinBot]

Fixed the type widening issue. Consolidated the three separate Array<OnyxUpdate<typeof ONYXKEYS.IS_LOADING_SUBSCRIPTION_DATA>> variables into a single OnyxData<typeof ONYXKEYS.IS_LOADING_SUBSCRIPTION_DATA> object, matching the pattern used by updateSubscriptionSize and clearOutstandingBalance in the same file.

[codecov]

Codecov Report

✅ Changes either increased or maintained existing code coverage, great job!

Files with missing lines	Coverage Δ
src/libs/actions/Subscription.ts	22.44% <100.00%> (+22.44%)	⬆️
...Action/Workspace/WorkspaceRestrictedActionPage.tsx	0.00% <0.00%> (ø)
... and 14 files with indirect coverage changes

[rushatgabhane]

@MelvinBot mark ready for review

[melvin-bot]

@truph01 Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 77219b9b8f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restore grace-period key when subscription refresh fails

Clearing SHARED_NVP_PRIVATE_USER_BILLING_GRACE_PERIOD_END with a standalone Onyx.set(..., null) is not tied to API.read's failureData, so a failed OpenSubscriptionPage request (e.g., transient 5xx/network error) leaves the owner’s grace-period entry permanently null in local state. Because restriction checks treat a null entry as “not restricted,” WorkspaceRestrictedActionPage can navigate away once loading flips false, allowing billable flows even though billing is still overdue. This optimistic clear should be part of request onyx data with a rollback path (or explicitly restored on failure).

Useful? React with 👍 / 👎.

[truph01]

@MelvinBot What do you think about this comment?

[MelvinBot]

The concern is valid. Here's the failure scenario:

1. openSubscriptionPage immediately calls Onyx.set(gracePeriodKey, null) — clearing the grace period
2. optimisticData sets IS_LOADING_SUBSCRIPTION_DATA = true
3. The API call fails (network error, 5xx, etc.)
4. failureData sets IS_LOADING_SUBSCRIPTION_DATA = false
5. WorkspaceRestrictedActionPage (line 48-54) sees loading is done, checks shouldRestrictUserBillableActions — the grace period is null so no restriction is detected → navigates back
6. The workspace appears unrestricted even though billing is still overdue

The standalone Onyx.set on line 21 runs outside the API lifecycle, so there's no rollback on failure.

Practical risk is moderate — onReconnect (line 33) would re-trigger the call when connectivity returns, but there's a window where the restriction is incorrectly lifted. Also, API.read commands aren't retried like API.write, so a 5xx failure with working connectivity would leave the grace period permanently null until the next navigation.

The right fix would be to move the grace period clear into optimisticData and capture the previous value for failureData rollback. Something like:

function openSubscriptionPage(ownerAccountID?: number) {
    // Read the current value to enable rollback on failure
    const currentGracePeriod = /* read from Onyx */;

    const onyxData = {
        optimisticData: [
            { key: IS_LOADING_SUBSCRIPTION_DATA, value: true, ... },
            // Only include if ownerAccountID is provided
            ...(ownerAccountID ? [{ key: gracePeriodKey, value: null, ... }] : []),
        ],
        failureData: [
            { key: IS_LOADING_SUBSCRIPTION_DATA, value: false, ... },
            // Restore previous value on failure
            ...(ownerAccountID ? [{ key: gracePeriodKey, value: currentGracePeriod, ... }] : []),
        ],
        successData: [
            { key: IS_LOADING_SUBSCRIPTION_DATA, value: false, ... },
        ],
    };
}

This keeps the optimistic clear behavior on success while properly rolling back on failure. rushatgabhane — would you like me to implement this fix?

[truph01]

@MelvinBot Implement it

[MelvinBot]

Implemented the fix. The standalone Onyx.set() has been replaced with proper API lifecycle integration:

1. optimisticData — clears the grace period when the API call starts (same behavior as before)
2. failureData — restores the previous grace period value if the API call fails (new rollback behavior)

The caller (WorkspaceRestrictedActionPage) now passes the current grace period value via a ref to avoid re-triggering the fetch effect on every optimistic update.

This ensures that a failed OpenSubscriptionPage request (e.g., transient 5xx/network error) won't leave the grace period permanently null.

[MelvinBot]

Added unit tests for openSubscriptionPage covering the new grace period handling:

1. No ownerAccountID — verifies only loading state Onyx data is included
2. With ownerAccountID and currentGracePeriod — verifies optimistic clear (null) and failure rollback (restore previous value)
3. With ownerAccountID but undefined currentGracePeriod — verifies failure rollback falls back to null
4. Falsy ownerAccountID (0) — verifies grace period data is not included

All 4 tests pass locally.

[truph01]

@MelvinBot Please merge main

[MelvinBot]

Merged main into this branch. ✅

[melvin-bot]

@ZhenjaHorbach Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[truph01]

@ZhenjaHorbach Please ignore it, not sure why Melvin assigns a new C+ here

[JmillsExpensify]

LGTM

[MelvinBot]

Implemented the change to clear all billing grace period keys instead of only the current owner's key, plus updated unit tests.

What changed:

1. src/libs/actions/Subscription.ts — openSubscriptionPage now accepts the entire OnyxCollection<BillingGraceEndPeriod> instead of a single ownerAccountID + value. It iterates all keys in the collection, clears them optimistically, and restores each on failure.

2. WorkspaceRestrictedActionPage.tsx — passes the full userBillingGracePeriods collection (via ref) to openSubscriptionPage instead of extracting a single owner's entry. Removed the policy?.ownerAccountID dependency from the effect since we no longer need it.

3. tests/actions/SubscriptionTest.ts — 5 tests covering:

   • No grace periods provided → only loading state data
   • Multiple grace period keys → all cleared optimistically, all restored on failure
   • Undefined values in collection → rollback to null
   • Undefined collection → no grace period data
   • Empty collection → no grace period data

[truph01]

ahh, i think we should clear all the values. because if the policy owner changes, then our cache will be stale and never evicted

@rushatgabhane If the policy owner changes, wouldn’t the pusher update the policy owner accordingly?

Anyway, clearing all values seems reasonable. The OpenSubscriptionPage API does not return data for just a specific grace period—it returns all related data.

[truph01]

@MelvinBot Please merge main

[MelvinBot]

Merged main into this branch. ✅

[truph01]

@rushatgabhane I tested the latest change, it looks good, all the sharedNVP_private_billingGracePeriodEnd_ are cleared:

Screen.Recording.2026-04-08.at.11.15.33.mov

[rushatgabhane]

@rushatgabhane If the policy owner changes, wouldn’t the pusher update the policy owner accordingly?

yeah i thought so too, but it doesn't work for many cases. eg: when the nvp is cleared, it is delete from DB and then we can't share the "cleared" nvp to users that were offline.

so it leads to stale nvp that is stuck and the user sees restricted page

[rushatgabhane]

I tested the latest change, it looks good, all the sharedNVP_private_billingGracePeriodEnd_ are cleared:

thank you for being so proactive! 🙇

[github-actions]

🚧 @robertjchen has triggered a test Expensify/App build. You can view the workflow run here.

[github-actions]

🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
Built from App PR #85635.

Android 🤖	iOS 🍎
https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-android-Adhoc-cb41497-37e8f9e-4de43d6e576c0db900841da940005f39c9f5654f/index.html	https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-ios-device-AdHoc-cb41497-37e8f9e-4b0cf8fe5f6888fd7874d56be3e5c6638a6aaa3c/index.html

Web 🕸️
https://85635.pr-testing.expensify.com

---

👀 View the workflow run that generated this build 👀

[OSBotify]

✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release.

[OSBotify]

🚀 Deployed to staging by https://github.com/robertjchen in version: 9.3.55-0 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅

Bundle Size Analysis (Sentry):

• Android
• iOS

[MelvinBot]

No help site changes are required for this PR.

This is a logic-only fix that clears stale cached billing grace period data optimistically so the workspace restriction lifts immediately after the owner resolves their billing issue. It does not:

• Add or change any user-facing features, UI text, labels, or navigation
• Alter any billing workflows from the user's perspective
• Introduce new settings, options, or concepts

The existing help site articles under new-expensify/billing-and-subscriptions/ (Billing Overview, Add a payment card, etc.) and expensify-classic/expensify-billing/Out-of-Date-Billing.md already cover billing troubleshooting and payment updates. None of them describe the internal caching behavior that this PR fixes, and none need to be updated as a result.

[IuliiaHerets]

@MelvinBot We are not sure if we tested it correctly, but we can repro issue (if it is actually an issue) with a briefly shown loader and RHP close.
Is it Verify the restriction page briefly shows a loading indicator, then navigates back (restriction lifted)?
Can you please check the video and confirm?

bandicam.2026-04-09.09-47-46-345.mp4

cc @JmillsExpensify @robertjchen @Eskalifer1

[JmillsExpensify]

but we can repro issue (if it is actually an issue) with a briefly shown loader and RHP close.

I looked at the video. I agree this shouldn't happen.

[IuliiaHerets]

@JmillsExpensify should we log a new issue or failed with the original one?

[truph01]

@IuliiaHerets Could you please share the test steps? This would help clarify whether it falls within the scope of this issue.

[IuliiaHerets]

@truph01
Test steps:

Run snippet in devtools console:
Onyx.set('sharedNVP_private_billingGracePeriodEnd_${userA's ID}', {value: 1772769594})
2. Create expense in workspace
3. Create another expense (grace period has cleared)

[truph01]

@IuliiaHerets, could you share the expected behavior and the actual behavior, too?

[IuliiaHerets]

@truph01, We believe you would have better clarity on the expected behavior.
As for us: Actual behavior: the RHP restricted action is briefly shown with a loading indicator and then auto-closes.

[JmillsExpensify]

I think we should either: open it and show a spinner, and equally, let's not auto-close the RHP. That's confusing.

[truph01]

Actual behavior: the RHP restricted action is briefly shown with a loading indicator and then auto-closes.

@IuliiaHerets @JmillsExpensify The loading indicator is shown because data is being fetched from the backend. Once the data is retrieved, the system determines that there is nothing to restrict, so the view automatically closes.

Isn’t this the expected behavior?

Also, it appears that production behaves the same way. You can refer to the attached video in this comment.

[JmillsExpensify]

Auto-closing is not the expected behavior. I agree we need some kind of loading experience though.

[truph01]

Auto-closing is not the expected behavior. I agree we need some kind of loading experience though.

@JmillsExpensify So what should have happened instead of "auto close"?

[JmillsExpensify]

If we don't know for certain that we should show the RHP message or not, then the loader shouldn't be in the RHP. It should be on the entire screen. That way, we only open the RHP if it's relevant.