Merge pull request #56604 from Expensify/michal-signout-redirect

[InternalQA] Redirect to OldDot to clear cookies

Author: mjasikowski

src/CONST.ts

@@ -1062,6 +1062,7 @@ const CONST = {
         ADMIN_DOMAINS_URL: 'admin_domains',
         INBOX: 'inbox',
         POLICY_CONNECTIONS_URL: (policyID: string) => `policy?param={"policyID":"${policyID}"}#connections`,
+        SIGN_OUT: 'signout',
     },
 
     EXPENSIFY_POLICY_DOMAIN,

src/libs/API/types.ts

@@ -87,7 +87,6 @@ const WRITE_COMMANDS = {
     VERIFY_IDENTITY: 'VerifyIdentity',
     ACCEPT_WALLET_TERMS: 'AcceptWalletTerms',
     ANSWER_QUESTIONS_FOR_WALLET: 'AnswerQuestionsForWallet',
-    LOG_OUT: 'LogOut',
     REQUEST_ACCOUNT_VALIDATION_LINK: 'RequestAccountValidationLink',
     REQUEST_NEW_VALIDATE_CODE: 'RequestNewValidateCode',
     SIGN_IN_WITH_APPLE: 'SignInWithApple',
@@ -533,7 +532,6 @@ type WriteCommandParameters = {
     [WRITE_COMMANDS.VERIFY_IDENTITY]: Parameters.VerifyIdentityParams;
     [WRITE_COMMANDS.ACCEPT_WALLET_TERMS]: Parameters.AcceptWalletTermsParams;
     [WRITE_COMMANDS.ANSWER_QUESTIONS_FOR_WALLET]: Parameters.AnswerQuestionsForWalletParams;
-    [WRITE_COMMANDS.LOG_OUT]: Parameters.LogOutParams;
     [WRITE_COMMANDS.REQUEST_ACCOUNT_VALIDATION_LINK]: Parameters.RequestAccountValidationLinkParams;
     [WRITE_COMMANDS.REQUEST_NEW_VALIDATE_CODE]: Parameters.RequestNewValidateCodeParams;
     [WRITE_COMMANDS.SIGN_IN_WITH_APPLE]: Parameters.BeginAppleSignInParams;
@@ -1091,6 +1089,7 @@ const SIDE_EFFECT_REQUEST_COMMANDS = {
 
     // PayMoneyRequestOnSearch only works online (pattern C) and we need to play the success sound only when the request is successful
     PAY_MONEY_REQUEST_ON_SEARCH: 'PayMoneyRequestOnSearch',
+    LOG_OUT: 'LogOut',
 } as const;
 
 type SideEffectRequestCommand = ValueOf<typeof SIDE_EFFECT_REQUEST_COMMANDS>;
@@ -1111,6 +1110,7 @@ type SideEffectRequestCommandParameters = {
     [SIDE_EFFECT_REQUEST_COMMANDS.CONNECT_POLICY_TO_QUICKBOOKS_DESKTOP]: Parameters.ConnectPolicyToQuickBooksDesktopParams;
     [SIDE_EFFECT_REQUEST_COMMANDS.BANK_ACCOUNT_CREATE_CORPAY]: Parameters.BankAccountCreateCorpayParams;
     [SIDE_EFFECT_REQUEST_COMMANDS.PAY_MONEY_REQUEST_ON_SEARCH]: Parameters.PayMoneyRequestOnSearchParams;
+    [SIDE_EFFECT_REQUEST_COMMANDS.LOG_OUT]: Parameters.LogOutParams;
 };
 
 type ApiRequestCommandParameters = WriteCommandParameters & ReadCommandParameters & SideEffectRequestCommandParameters;

src/libs/actions/Session/index.ts

@@ -6,7 +6,6 @@ import type {OnyxEntry, OnyxUpdate} from 'react-native-onyx';
 import Onyx from 'react-native-onyx';
 import type {ValueOf} from 'type-fest';
 import * as PersistedRequests from '@libs/actions/PersistedRequests';
-import {resolveDuplicationConflictAction} from '@libs/actions/RequestConflictUtils';
 import * as API from '@libs/API';
 import type {
     AuthenticatePusherParams,
@@ -25,6 +24,7 @@ import type {
 } from '@libs/API/parameters';
 import type SignInUserParams from '@libs/API/parameters/SignInUserParams';
 import {READ_COMMANDS, SIDE_EFFECT_REQUEST_COMMANDS, WRITE_COMMANDS} from '@libs/API/types';
+import asyncOpenURL from '@libs/asyncOpenURL';
 import * as Authentication from '@libs/Authentication';
 import * as ErrorUtils from '@libs/ErrorUtils';
 import Fullstory from '@libs/Fullstory';
@@ -56,6 +56,7 @@ import type {HybridAppRoute, Route} from '@src/ROUTES';
 import ROUTES from '@src/ROUTES';
 import SCREENS from '@src/SCREENS';
 import type Credentials from '@src/types/onyx/Credentials';
+import type Response from '@src/types/onyx/Response';
 import type Session from '@src/types/onyx/Session';
 import type {AutoAuthState} from '@src/types/onyx/Session';
 import clearCache from './clearCache';
@@ -178,7 +179,7 @@ function signInWithSupportAuthToken(authToken: string) {
 /**
  * Clears the Onyx store and redirects user to the sign in page
  */
-function signOut() {
+function signOut(): Promise<void | Response> {
     Log.info('Flushing logs before signing out', true, {}, true);
     const params = {
         // Send current authToken because we will immediately clear it once triggering this command
@@ -189,14 +190,8 @@ function signOut() {
         shouldRetry: false,
     };
 
-    API.write(
-        WRITE_COMMANDS.LOG_OUT,
-        params,
-        {},
-        {
-            checkAndFixConflictingRequest: (persistedRequests) => resolveDuplicationConflictAction(persistedRequests, (request) => request.command === WRITE_COMMANDS.LOG_OUT),
-        },
-    );
+    // eslint-disable-next-line rulesdir/no-api-side-effects-method
+    return API.makeRequestWithSideEffects(SIDE_EFFECT_REQUEST_COMMANDS.LOG_OUT, params, {});
 }
 
 /**
@@ -228,71 +223,81 @@ function isExpiredSession(sessionCreationDate: number): boolean {
 function signOutAndRedirectToSignIn(shouldResetToHome?: boolean, shouldStashSession?: boolean, killHybridApp = true) {
     Log.info('Redirecting to Sign In because signOut() was called');
     hideContextMenu(false);
-    if (!isAnonymousUser()) {
-        // In the HybridApp, we want the Old Dot to handle the sign out process
-        if (NativeModules.HybridAppModule && killHybridApp) {
-            NativeModules.HybridAppModule.closeReactNativeApp(true, false);
-            return;
-        }
-        // We'll only call signOut if we're not stashing the session and this is not a supportal session,
-        // otherwise we'll call the API to invalidate the autogenerated credentials used for infinite
-        // session.
-        const isSupportal = isSupportAuthToken();
-        if (!isSupportal && !shouldStashSession) {
-            signOut();
-        }
 
-        // The function redirectToSignIn will clear the whole storage, so let's create our onyx params
-        // updates for the credentials before we call it
-        let onyxSetParams = {};
-
-        // If we are not currently using a support token, and we received stashSession as true, we need to
-        // store the credentials so the user doesn't need to login again after they finish their supportal
-        // action. This needs to computed before we call `redirectToSignIn`
-        if (!isSupportal && shouldStashSession) {
-            onyxSetParams = {
-                [ONYXKEYS.STASHED_CREDENTIALS]: credentials,
-                [ONYXKEYS.STASHED_SESSION]: session,
-            };
-        }
-        // If this is a supportal token, and we've received the parameters to stashSession as true, and
-        // we already have a stashedSession, that means we are supportaled, currently supportaling
-        // into another account and we want to keep the stashed data from the original account.
-        if (isSupportal && shouldStashSession && hasStashedSession()) {
-            onyxSetParams = {
-                [ONYXKEYS.STASHED_CREDENTIALS]: stashedCredentials,
-                [ONYXKEYS.STASHED_SESSION]: stashedSession,
-            };
-        }
-        // Now if this is a supportal access, we do not want to stash the current session and we have a
-        // stashed session, then we need to restore the stashed session instead of completely logging out
-        if (isSupportal && !shouldStashSession && hasStashedSession()) {
-            onyxSetParams = {
-                [ONYXKEYS.CREDENTIALS]: stashedCredentials,
-                [ONYXKEYS.SESSION]: stashedSession,
-            };
-        }
-        if (isSupportal && !shouldStashSession && !hasStashedSession()) {
-            Log.info('No stashed session found for supportal access, clearing the session');
+    if (isAnonymousUser()) {
+        if (!Navigation.isActiveRoute(ROUTES.SIGN_IN_MODAL)) {
+            if (shouldResetToHome) {
+                Navigation.resetToHome();
+            }
+            Navigation.navigate(ROUTES.SIGN_IN_MODAL);
+            Linking.getInitialURL().then((url) => {
+                const reportID = getReportIDFromLink(url);
+                if (reportID) {
+                    Onyx.merge(ONYXKEYS.LAST_OPENED_PUBLIC_ROOM_ID, reportID);
+                }
+            });
         }
-        redirectToSignIn().then(() => {
+        return;
+    }
+
+    // In the HybridApp, we want the Old Dot to handle the sign out process
+    if (NativeModules.HybridAppModule && killHybridApp) {
+        NativeModules.HybridAppModule.closeReactNativeApp(true, false);
+        return;
+    }
+    // We'll only call signOut if we're not stashing the session and this is not a supportal session,
+    // otherwise we'll call the API to invalidate the autogenerated credentials used for infinite
+    // session.
+    const isSupportal = isSupportAuthToken();
+    const signOutPromise: Promise<void | Response> = !isSupportal && !shouldStashSession ? signOut() : Promise.resolve();
+
+    // The function redirectToSignIn will clear the whole storage, so let's create our onyx params
+    // updates for the credentials before we call it
+    let onyxSetParams = {};
+
+    // If we are not currently using a support token, and we received stashSession as true, we need to
+    // store the credentials so the user doesn't need to login again after they finish their supportal
+    // action. This needs to computed before we call `redirectToSignIn`
+    if (!isSupportal && shouldStashSession) {
+        onyxSetParams = {
+            [ONYXKEYS.STASHED_CREDENTIALS]: credentials,
+            [ONYXKEYS.STASHED_SESSION]: session,
+        };
+    }
+    // If this is a supportal token, and we've received the parameters to stashSession as true, and
+    // we already have a stashedSession, that means we are supportaled, currently supportaling
+    // into another account and we want to keep the stashed data from the original account.
+    if (isSupportal && shouldStashSession && hasStashedSession()) {
+        onyxSetParams = {
+            [ONYXKEYS.STASHED_CREDENTIALS]: stashedCredentials,
+            [ONYXKEYS.STASHED_SESSION]: stashedSession,
+        };
+    }
+    // Now if this is a supportal access, we do not want to stash the current session and we have a
+    // stashed session, then we need to restore the stashed session instead of completely logging out
+    if (isSupportal && !shouldStashSession && hasStashedSession()) {
+        onyxSetParams = {
+            [ONYXKEYS.CREDENTIALS]: stashedCredentials,
+            [ONYXKEYS.SESSION]: stashedSession,
+        };
+    }
+    if (isSupportal && !shouldStashSession && !hasStashedSession()) {
+        Log.info('No stashed session found for supportal access, clearing the session');
+    }
+
+    // Wait for signOut (if called), then redirect and update Onyx.
+    signOutPromise
+        .then((response) => {
             Onyx.multiSet(onyxSetParams);
-        });
-    } else {
-        if (Navigation.isActiveRoute(ROUTES.SIGN_IN_MODAL)) {
-            return;
-        }
-        if (shouldResetToHome) {
-            Navigation.resetToHome();
-        }
-        Navigation.navigate(ROUTES.SIGN_IN_MODAL);
-        Linking.getInitialURL().then((url) => {
-            const reportID = getReportIDFromLink(url);
-            if (reportID) {
-                Onyx.merge(ONYXKEYS.LAST_OPENED_PUBLIC_ROOM_ID, reportID);
+
+            if (response?.hasOldDotAuthCookies) {
+                Log.info('Redirecting to OldDot sign out');
+                asyncOpenURL(redirectToSignIn(), `${CONFIG.EXPENSIFY.EXPENSIFY_URL}${CONST.OLDDOT_URLS.SIGN_OUT}`, true, true);
+            } else {
+                redirectToSignIn();
             }
-        });
-    }
+        })
+        .catch((error: string) => Log.warn('Error during sign out process:', error));
 }
 
 /**

src/types/onyx/Response.ts

@@ -92,6 +92,9 @@ type Response = {
 
     /** The ID of the original user (returned when in delegate mode) */
     requesterID?: number;
+
+    /** If there are httponly OldDot authentication cookies stored */
+    hasOldDotAuthCookies?: boolean;
 };
 
 export default Response;

tests/actions/SessionTest.ts

@@ -4,13 +4,18 @@ import type {OnyxEntry} from 'react-native-onyx';
 import {confirmReadyToOpenApp, openApp, reconnectApp} from '@libs/actions/App';
 import OnyxUpdateManager from '@libs/actions/OnyxUpdateManager';
 import {getAll as getAllPersistedRequests} from '@libs/actions/PersistedRequests';
+// eslint-disable-next-line no-restricted-syntax
+import * as SignInRedirect from '@libs/actions/SignInRedirect';
 import {WRITE_COMMANDS} from '@libs/API/types';
+import asyncOpenURL from '@libs/asyncOpenURL';
 import HttpUtils from '@libs/HttpUtils';
 import PushNotification from '@libs/Notification/PushNotification';
 // This lib needs to be imported, but it has nothing to export since all it contains is an Onyx connection
 import '@libs/Notification/PushNotification/subscribePushNotification';
+import CONFIG from '@src/CONFIG';
 import CONST from '@src/CONST';
 import * as SessionUtil from '@src/libs/actions/Session';
+import {signOutAndRedirectToSignIn} from '@src/libs/actions/Session';
 import ONYXKEYS from '@src/ONYXKEYS';
 import type {Credentials, Session} from '@src/types/onyx';
 import * as TestHelper from '../utils/TestHelper';
@@ -23,6 +28,9 @@ HttpUtils.xhr = jest.fn<typeof HttpUtils.xhr>();
 // Mocked to ensure push notifications are subscribed/unsubscribed as the session changes
 jest.mock('@libs/Notification/PushNotification');
 
+// Mocked to check SignOutAndRedirectToSignIn behavior
+jest.mock('@libs/asyncOpenURL');
+
 Onyx.init({
     keys: ONYXKEYS,
 });
@@ -207,23 +215,77 @@ describe('Session', () => {
         expect(getAllPersistedRequests().length).toBe(0);
     });
 
-    test('LogOut should replace same requests from the queue instead of adding new one', async () => {
+    test('SignOut should return a promise with response containing hasOldDotAuthCookies', async () => {
         await TestHelper.signInWithTestUser();
         await Onyx.set(ONYXKEYS.NETWORK, {isOffline: true});
 
-        SessionUtil.signOut();
-        SessionUtil.signOut();
-        SessionUtil.signOut();
-        SessionUtil.signOut();
-        SessionUtil.signOut();
+        (HttpUtils.xhr as jest.MockedFunction<typeof HttpUtils.xhr>)
+            // This will make the call to OpenApp below return with an expired session code
+            .mockImplementationOnce(() =>
+                Promise.resolve({
+                    jsonCode: CONST.JSON_CODE.SUCCESS,
+                    hasOldDotAuthCookies: true,
+                }),
+            );
+
+        const signOutPromise = SessionUtil.signOut();
 
-        await waitForBatchedUpdates();
+        expect(signOutPromise).toBeInstanceOf(Promise);
 
-        expect(getAllPersistedRequests().length).toBe(1);
-        expect(getAllPersistedRequests().at(0)?.command).toBe(WRITE_COMMANDS.LOG_OUT);
+        expect(await signOutPromise).toStrictEqual({
+            jsonCode: CONST.JSON_CODE.SUCCESS,
+            hasOldDotAuthCookies: true,
+        });
 
         await Onyx.set(ONYXKEYS.NETWORK, {isOffline: false});
 
         expect(getAllPersistedRequests().length).toBe(0);
     });
+
+    test('SignOutAndRedirectToSignIn should redirect to OldDot when LogOut returns truthy hasOldDotAuthCookies', async () => {
+        await TestHelper.signInWithTestUser();
+        await Onyx.set(ONYXKEYS.NETWORK, {isOffline: true});
+
+        (HttpUtils.xhr as jest.MockedFunction<typeof HttpUtils.xhr>)
+            // This will make the call to OpenApp below return with an expired session code
+            .mockImplementationOnce(() =>
+                Promise.resolve({
+                    jsonCode: CONST.JSON_CODE.SUCCESS,
+                    hasOldDotAuthCookies: true,
+                }),
+            );
+
+        const redirectToSignInSpy = jest.spyOn(SignInRedirect, 'default').mockImplementation(() => Promise.resolve());
+
+        signOutAndRedirectToSignIn();
+
+        await waitForBatchedUpdates();
+
+        expect(asyncOpenURL).toHaveBeenCalledWith(Promise.resolve(), `${CONFIG.EXPENSIFY.EXPENSIFY_URL}${CONST.OLDDOT_URLS.SIGN_OUT}`, true, true);
+        expect(redirectToSignInSpy).toHaveBeenCalled();
+        jest.clearAllMocks();
+    });
+
+    test('SignOutAndRedirectToSignIn should not redirect to OldDot when LogOut return falsy hasOldDotAuthCookies', async () => {
+        await TestHelper.signInWithTestUser();
+        await Onyx.set(ONYXKEYS.NETWORK, {isOffline: true});
+
+        (HttpUtils.xhr as jest.MockedFunction<typeof HttpUtils.xhr>)
+            // This will make the call to OpenApp below return with an expired session code
+            .mockImplementationOnce(() =>
+                Promise.resolve({
+                    jsonCode: CONST.JSON_CODE.SUCCESS,
+                }),
+            );
+
+        const redirectToSignInSpy = jest.spyOn(SignInRedirect, 'default').mockImplementation(() => Promise.resolve());
+
+        signOutAndRedirectToSignIn();
+
+        await waitForBatchedUpdates();
+
+        expect(asyncOpenURL).not.toHaveBeenCalled();
+        expect(redirectToSignInSpy).toHaveBeenCalled();
+        jest.clearAllMocks();
+    });
 });