[$250] Settings-"Can't merge accounts" message when entering the wrong magic code

[mitarachim]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Version Number: 9.1.32-0
Reproducible in staging?: Yes
Reproducible in production?: Yes
If this was caught on HybridApp, is this reproducible on New Expensify Standalone?: N/A
If this was caught during regression testing, add the test name, ID and link from TestRail: #59911
Email or phone of affected tester (no customers): [email protected]
Issue reported by: Applause Internal Team
Device used: Windows 10/ Chrome, Samsung S23FE/ Android 14
App Component: User Settings

Action Performed:

1. Go to https://staging.new.expensify.com/
2. Log in with any Expensifail account
3. Go to Account > Security
4. Click on Merge account
5. Enter the email of another account that has enabled 2FA
6. Mark "I understand this is not reversible" checkbox
7. Click Next
8. Enter an incorrect magic code

Expected Result:

"Incorrect magic code" error message should be displayed.

Actual Result:

The "Can't merge accounts" page is displayed when entering the wrong magic code.

Workaround:

Unknown

Platforms:

• Android: Standalone
• Android: HybridApp
• Android: mWeb Chrome
• iOS: Standalone
• iOS: HybridApp
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Bug6811076_1745444226945.Can_t_merge_accounts_message.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~021919788267658176477
• Upwork Job ID: 1919788267658176477
• Last Price Increase: 2025-05-06

Issue Owner

Current Issue Owner: @thienlnam

[melvin-bot]

Triggered auto assignment to @slafortune (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[melvin-bot]

@slafortune Eep! 4 days overdue now. Issues have feelings too...

[melvin-bot]

@slafortune 6 days overdue. This is scarier than being forced to listen to Vogon poetry!

[melvin-bot]

@slafortune 10 days overdue. Is anyone even seeing these? Hello?

[slafortune]

@mitarachim What were the email addresses that were being merged? It's unclear what the error should be if there were other reasons that the two accounts could not be merged. It's not necessarily the cause of the incorrect magic code. Can't merge accounts would be the safest error with multiple issues.

[mitarachim]

Hello @slafortune , as per step 5 in this case we merge with email of another account that has enabled 2FA.
And as per step 8 in this issue is Enter an incorrect magic code , so QA team assume to see "Incorrect magic code" as error message. But in this case we get error message as below screenshot

[slafortune]

I was interested in the specific emails due to the member group restrictions in the domain setting as well as verified domains. You are not able to merge two accounts is they are both from a verified domain. So, regardless of whether there is 2FA enabled, and an incorrect magic code is entered, it could still be 2 accounts that are not able to be merged.

[mitarachim]

Sorry for late respond @slafortune, this issue also happen while we merge with gmail account with 2FA enabled . is the same error message as expected here?

Screen.Recording.2025-05-06.at.5.11.46.AM.mp4

[slafortune]

Thanks - No, not with a Gmail account.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~021919788267658176477

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @c3024 (External)

[linhvovan29546]

I think this issue should be marked as internal.

[huult]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Settings-"Can't merge accounts" message when entering the wrong magic code

What is the root cause of that problem?

We haven't handled the invalid code case yet.

App/src/pages/settings/Security/MergeAccounts/AccountValidatePage.tsx

Line 164 in 7b2e73d

validateError={validateCodeError}

What changes do you think we should make in order to solve the problem?

To resolve this issue, we must add new case for invalid code.

1. Update the backend to check for the invalid code case
2. Update the frontend to check for the invalid code case and prevent navigation to the error page

We defined a new constant isInvalidCode based on the backend respons

Example:

    // const isInvalidCode = mergeWithValidateCode?.validateCodeError;
    const isInvalidCode = true;

Prevent navigation to the error page when the code is invalid.

App/src/pages/settings/Security/MergeAccounts/AccountValidatePage.tsx

Line 111 in 7b2e73d

if (!errorPage || !email) {

update to:

  if (!errorPage || !email || isInvalidCode) {

Get the invalid code error message to display. If validateCodeError is unavailable, we will discuss it with the backend team:

App/src/pages/settings/Security/MergeAccounts/AccountValidatePage.tsx

Line 164 in 7b2e73d

validateError={validateCodeError}

update to

example:

 validateError={isInvalidCode ? 'Incorrect magic code. Please try again or request a new code' : validateCodeError}

What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?

none

What alternative solutions did you explore? (Optional)

Reminder: Please use plain English, be brief and avoid jargon. Feel free to use images, charts or pseudo-code if necessary. Do not post large multi-line diffs or write walls of text. Do not create PRs unless you have been hired for this job.

[melvin-bot]

@slafortune @c3024 this issue was created 2 weeks ago. Are we close to approving a proposal? If not, what's blocking us from getting this issue assigned? Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!

[c3024]

@Expensify/design

When the user inputs an incorrect magic code and the backend rejects it, I think we should show the magic code error and stay on the magic code page. Presently, it navigates to "Can't merge accounts" message page even for this incorrect magic code case as shown in the video attached in the OP. I think we should change this behaviour.

[dannymcclain]

That makes sense to me.

[shawnborton]

Yup, makes sense to me too 👍

[c3024]

I think we should stay on the magic code page if a user inputs an invalid magic code and the backend rejects it. This requires the backend to send a different key-value pair in the errors object, with the value being the message for an incorrect code under mergeWithValidateCode. We can then check if the latest error corresponds to an invalid code and prevent navigation to the “Can’t merge accounts” page, similar to how getMergeErrorPage checks the error value.

For the frontend part, @huult’s proposal to prevent navigation when the backend response contains this specific error value for an invalid magic code looks good to me.

🎀 👀 🎀 C+ reviewed!

[melvin-bot]

Triggered auto assignment to @thienlnam, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[linhvovan29546]

@c3024 Just wondering — are you testing with an account that doesn't have 2FA enabled? I'm asking because I believe we've already displayed the invalid error

[c3024]

Yes, that’s true. The backend returns the invalid magic code error even when merging an account that doesn’t have 2FA enabled.

However, this currently maps to the 2FA string in the code:

App/src/pages/settings/Security/MergeAccounts/AccountValidatePage.tsx

Lines 67 to 68 in e2440c8

	if (err.includes('Invalid validateCode')) {
	return 'mergeAccountsPage.accountValidate.errors.incorrect2fa';

so it shows an incorrect error message on the frontend. This should be fixed to display an “invalid magic code” error instead of a 2FA error.

Even when merging an account with 2FA enabled, I think if the magic code is incorrect, we should still show the magic code error and stay on the magic code page, rather than navigating to the 2FA enabled error page.

[thienlnam]

We send back the 401 Cannot merge accounts - 2FA enabled first since we check if the account we are merging into is valid before checking the magic code. So despite the magic code being incorrect, it won't actually merge the account. It's a small detail so not sure we should prioritize this. @slafortune What do you think

[huult]

I think we should fix this to make it consistent with the verify code case. If the code is wrong, we should show an 'invalid' message to make it clear to the user. Otherwise, they won't know what went wrong or why

[slafortune]

@thienlnam I agree that this is splitting hairs and am in favor of closing this. There are plenty of reasons an account can't be merged - I think that an incorrect magic code is the least of them.

[melvin-bot]

@thienlnam Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

@thienlnam Still overdue 6 days?! Let's take care of this!

[melvin-bot]

@slafortune @thienlnam @c3024 this issue is now 4 weeks old, please consider:

• Finding a contributor to fix the bug
• Closing the issue if BZ has been unable to add the issue to a VIP or Wave project
• If you have any questions, don't hesitate to start a discussion in #expensify-open-source

Thanks!

[huult]

If we decide to move forward with a fix, just let me know, I’m ready to do it.

[thienlnam]

Cool closing - context here