Fix potential race condition bug in pwless login

[alexvuong]

Description

There is a potential bug in pwless logic in check out contract info form when users click "Secure Link" to submit pwless flow.

const submitForm = async (data) => {
        setError(null)
        if (isPasswordlessLoginClicked) {
            handlePasswordlessLogin(data.email)
            setIsPasswordlessLoginClicked(false)
            return
        }
....
}

We are trying to setState during submission and expecting the state to update immediately. This is a wrong and bug-prone because React setSate is asynchronous. See explanation here.
This will result in a race condition that we are not anticipating in very slow devices
This bug shows up during unit tests, but we are cheating by clicking the "Secure Link" button twice which forces a a re-rendering the component where it is not supposed in reality. The users on the browser never has to click twice on "Secure Link" to see the modal pop up.

Why It Works in Browser (Single Click)

1. Natural Timing Delays
   In the browser, there are natural micro-delays between:
   User click → Event handler execution
   State update → Form submission
   DOM updates → Re-rendering
   These small delays give React time to process the state update before the form submission logic runs.
2. Event Loop Differences
   The browser's event loop processes things differently than the test environment:
   Browser: Asynchronous, with natural pauses for repainting, user interaction, etc.
   Test: Synchronous, everything happens in the same tick
3. React's Batching Behavior
   React batches state updates differently in:
   Browser: More time between batches, allowing updates to complete
   Test: Immediate batching, exposing race conditions

Types of Changes

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Documentation update
• Breaking change (could cause existing functionality to not work as expected)
• Other changes (non-breaking changes that does not fit any of the above)

Breaking changes include:

• Removing a public function or component or prop
• Adding a required argument to a function
• Changing the data type of a function parameter or return value
• Adding a new peer dependency to package.json

Changes

• (change1)

How to Test-Drive This PR

• Check out code
• enabled pwless login
• run unit tests and make sure all tests are passed
• Enabled pwless and set up private slas to test the feature

Checklists

General

• Changes are covered by test cases
• CHANGELOG.md updated with a short description of changes (not required for documentation updates)

Accessibility Compliance

You must check off all items in one of the follow two lists:

• There are no changes to UI

or...

• Changes were tested with a Screen Reader (iOS VoiceOver or Android Talkback) and had no issues
• Changes comply with WCAG 2.0 guidelines levels A and AA
• Changes to common UI patterns and interactions comply with WAI-ARIA best practices

Localization

• Changes include a UI text update in the Retail React App (which requires translation)

[cc-prodsec]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

[alexvuong]

We know that pwless does not require the same flow as other flows, we can safely use type=button to avoid it go through submission and handle the flow right in the onPasswordlessLoginClick handler

[alexvuong]

Fix error during tests

 console.error
    TypeError: Invalid URL: undefined//mobify/proxy/api
        ....

[hajinsuha1]

Thanks @alexvuong for looking into this and finding a fix!
There are 2 other places that use the same pattern for the passwordless login that likely have the same issue:

• use-auth-modal.js (the pop login modal) ->

  pwa-kit/packages/template-retail-react-app/app/hooks/use-auth-modal.test.js

  Lines 206 to 208 in 79078ef

  	// Click the button twice as the isPasswordlessLoginClicked state doesn't change after the first click
  	await user.click(passwordlessLoginButton)
  	await user.click(passwordlessLoginButton)

• app/pages/login/index.jsx (the /login page) -> No unit test for passwordless but likely has the same issue:

  pwa-kit/packages/template-retail-react-app/app/pages/login/index.jsx

  Lines 209 to 211 in 79078ef

  	handlePasswordlessLoginClick={() => {
  	setLoginType(LOGIN_TYPES.PASSWORDLESS)
  	}}

[adamraya]

This would be the first time we introduce a regex to validate email in the app. The regex doesn't cover all valid email scenarios (e.g., internationalized domains, plus signs, etc.).

Should we stick with react-hook-form's native validation like we do in other places?

pwa-kit/packages/template-retail-react-app/app/components/passwordless-login/index.jsx

Line 29 in fb61a7b

const isValid = await form.trigger()

Example:

const validateEmail = async () => {
    const isValid = await form.trigger('email')
    return isValid
}

[alexvuong]

good call, I will work on that

[alexvuong]

it is fixed

[alexvuong]

@hajinsuha1 @adamraya Thanks for reviewing. I've addressed your comments. I've fixed the same flow for login and use-auth-modal.

[alexvuong]

@hajinsuha1 Good catch, I've changed the code to make pwless to be aware on Enter key. Please have another review when you have time
@adamraya @yunakim714 Please have another review when you have time as well

I've deployed the bundle to this env if you want to test it on MRT https://runtime.commercecloud.com/salesforce-systems/scaffold-pwa/test-env-3

[alexvuong]

we don't need this prop in the logic but we can't remove it now since it will be a breaking change.

[alexvuong]

we don't need this prop in the logic but we can't remove it now since it will be a breaking change.

[hajinsuha1]

Thanks for taking the time to fix this! Retested and everything looks good.

[adamraya]

I tested the changes on my machine and LGTM