Re-add public domain validation and prevent same-email submission on onboarding work email by MelvinBot · Pull Request #84448 · Expensify/App

MelvinBot · 2026-03-06T19:59:52Z

Explanation of Change

PR #79909 removed the PUBLIC_DOMAINS_SET check from the onboarding "What's your work email?" screen to allow public domain emails. This caused three downstream problems: (1) backend errors on public domain emails with no UI feedback, (2) nonsensical workspace suggestions for public domains, and (3) users could enter the same email they signed up with.

This PR restores the original public domain validation in BaseOnboardingWorkEmail.tsx by re-adding the PUBLIC_DOMAINS_SET import and check in the validate() function. It also adds a new check that prevents users from submitting the same email they signed up with, using session data from Onyx.

Fixed Issues

$ #84445

PROPOSAL: #84445 (comment)

Tests

Sign up with a public domain email (e.g. gmail.com)
Navigate to the onboarding "What's your work email?" screen
Enter a public domain email (e.g. test@gmail.com)
Verify the error message "Please enter a valid work email from a private domain e.g. mitch@company.com" is shown
Enter the same email you signed up with
Verify the error message "Please enter a different email than the one you signed up with" is shown
Enter a valid private domain email (e.g. test@company.com)
Verify the form submits successfully

Verify that no errors appear in the JS console

Offline tests

Go offline while on the "What's your work email?" screen
Verify the offline error message is shown when trying to submit
Go back online
Verify the public domain and same-email validations work as expected

QA Steps

same as tests

Verify that no errors appear in the JS console

PR Author Checklist

Screenshots/Videos

Android: Native

Android: mWeb Chrome

iOS: Native

iOS: mWeb Safari

MacOS: Chrome / Safari

…onboarding work email screen Restores the PUBLIC_DOMAINS_SET check that was removed by PR #79909, and adds a new validation to prevent users from entering the same email they signed up with. Co-authored-by: Benjamin Limpich <blimpich@users.noreply.github.com>

OSBotify · 2026-03-06T20:01:09Z

🦜 Polyglot Parrot! 🦜

Squawk! Looks like you added some shiny new English strings. Allow me to parrot them back to you in other tongues:

View the translation diff

diff --git a/src/languages/de.ts b/src/languages/de.ts
index 1dd524fc..2fbe0bff 100644
--- a/src/languages/de.ts
+++ 
8000
b/src/languages/de.ts
@@ -2758,7 +2758,7 @@ ${amount} für ${merchant} – ${date}`,
         },
         workEmailValidationError: {
             publicEmail: 'Bitte gib eine gültige geschäftliche E-Mail-Adresse von einer privaten Domain ein, z. B. mitch@company.com',
-            sameAsSignupEmail: 'Bitte gib eine andere E-Mail-Adresse ein als die, mit der du dich registriert hast',
+            sameAsSignupEmail: 'Bitte geben Sie eine andere E-Mail-Adresse ein als die, mit der Sie sich registriert haben',
             offline: 'Wir konnten deine geschäftliche E-Mail nicht hinzufügen, da du offenbar offline bist',
         },
         mergeBlockScreen: {
diff --git a/src/languages/fr.ts b/src/languages/fr.ts
index a94aeec0..6f046d07 100644
--- a/src/languages/fr.ts
+++ b/src/languages/fr.ts
@@ -2763,7 +2763,7 @@ ${amount} pour ${merchant} - ${date}`,
         },
         workEmailValidationError: {
             publicEmail: 'Veuillez saisir une adresse e-mail professionnelle valide provenant d’un domaine privé, par ex. mitch@company.com',
-            sameAsSignupEmail: 'Veuillez saisir une adresse e-mail diff\u00e9rente de celle avec laquelle vous vous \u00eates inscrit',
+            sameAsSignupEmail: 'Veuillez saisir une adresse e-mail différente de celle avec laquelle vous vous êtes inscrit',
             offline: 'Nous n’avons pas pu ajouter votre adresse e-mail professionnelle, car vous semblez être hors ligne',
         },
         mergeBlockScreen: {
diff --git a/src/languages/it.ts b/src/languages/it.ts
index b6e931a1..404d44d6 100644
--- a/src/languages/it.ts
+++ b/src/languages/it.ts
@@ -2750,7 +2750,7 @@ ${amount} per ${merchant} - ${date}`,
         },
         workEmailValidationError: {
             publicEmail: 'Inserisci un’email di lavoro valida con dominio privato, ad es. mitch@company.com',
-            sameAsSignupEmail: 'Inserisci un indirizzo email diverso da quello con cui ti sei registrato',
+            sameAsSignupEmail: 'Inserisci un’email diversa da quella con cui ti sei registrato',
             offline: 'Non è stato possibile aggiungere la tua email di lavoro perché sembri offline',
         },
         mergeBlockScreen: {
diff --git a/src/languages/ja.ts b/src/languages/ja.ts
index cc8af513..06ac961f 100644
--- a/src/languages/ja.ts
+++ b/src/languages/ja.ts
@@ -2731,7 +2731,7 @@ ${date} の ${merchant} への ${amount}`,
         },
         workEmailValidationError: {
             publicEmail: 'プライベートドメインの有効な勤務先メールアドレスを入力してください（例：mitch@company.com）',
-            sameAsSignupEmail: 'サインアップ時に使用したメールアドレスとは異なるメールアドレスを入力してください',
+            sameAsSignupEmail: 'サインアップ時に使用したものとは別のメールアドレスを入力してください',
             offline: 'オフラインのため、勤務先のメールアドレスを追加できませんでした',
         },
         mergeBlockScreen: {
diff --git a/src/languages/nl.ts b/src/languages/nl.ts
index a01645d1..418189b0 100644
--- a/src/languages/nl.ts
+++ b/src/languages/nl.ts
@@ -2750,7 +2750,7 @@ ${amount} voor ${merchant} - ${date}`,
         },
         workEmailValidationError: {
             publicEmail: 'Voer een geldig zakelijk e-mailadres in van een privédomein, bijv. mitch@company.com',
-            sameAsSignupEmail: 'Voer een ander e-mailadres in dan het adres waarmee je je hebt aangemeld',
+            sameAsSignupEmail: 'Voer een ander e-mailadres in dan het e-mailadres waarmee je je hebt aangemeld',
             offline: 'We konden je werk-e-mailadres niet toevoegen omdat je offline lijkt te zijn',
         },
         mergeBlockScreen: {
diff --git a/src/languages/pl.ts b/src/languages/pl.ts
index f59eb38e..8d52fee1 100644
--- a/src/languages/pl.ts
+++ b/src/languages/pl.ts
@@ -2742,7 +2742,7 @@ ${amount} dla ${merchant} - ${date}`,
         },
         workEmailValidationError: {
             publicEmail: 'Wpisz poprawny służbowy adres e‑mail z prywatnej domeny, np. mitch@company.com',
-            sameAsSignupEmail: 'Podaj inny adres e‑mail niż ten, którego użyłeś do rejestracji',
+            sameAsSignupEmail: 'Podaj inny adres e-mail niż ten, którego użyłeś przy rejestracji',
             offline: 'Nie mogliśmy dodać Twojego służbowego adresu e‑mail, ponieważ wydajesz się być offline',
         },
         mergeBlockScreen: {
diff --git a/src/languages/pt-BR.ts b/src/languages/pt-BR.ts
index 6e420cd6..d160f651 100644
--- a/src/languages/pt-BR.ts
+++ b/src/languages/pt-BR.ts
@@ -2742,7 +2742,7 @@ ${amount} para ${merchant} - ${date}`,
         },
         workEmailValidationError: {
             publicEmail: 'Insira um e-mail de trabalho válido de um domínio privado, por exemplo: mitch@company.com',
-            sameAsSignupEmail: 'Insira um e-mail diferente daquele com o qual você se cadastrou',
+            sameAsSignupEmail: 'Insira um e-mail diferente daquele com que você se cadastrou',
             offline: 'Não foi possível adicionar seu e-mail profissional, pois você parece estar offline',
         },
         mergeBlockScreen: {
diff --git a/src/languages/zh-hans.ts b/src/languages/zh-hans.ts
index dfe75816..a4f20dcb 100644
--- a/src/languages/zh-hans.ts
+++ b/src/languages/zh-hans.ts
@@ -2690,7 +2690,7 @@ ${amount}，商户：${merchant} - 日期：${date}`,
         },
         workEmailValidationError: {
             publicEmail: '请输入来自私有域的有效工作邮箱，例如：mitch@company.com',
-            sameAsSignupEmail: '请输入与注册时不同的邮箱地址',
+            sameAsSignupEmail: '请输入与注册时不同的邮箱',
             offline: '由于您似乎处于离线状态，我们无法添加您的工作邮箱',
         },
         mergeBlockScreen: {

Note

You can apply these changes to your branch by copying the patch to your clipboard, then running pbpaste | git apply 😉

View workflow run

codecov · 2026-03-06T20:09:48Z

Codecov Report

❌ Looks like you've decreased code coverage for some files. Please write tests to increase, or at least maintain, the existing level of code coverage. See our documentation here for how to interpret this table.

Files with missing lines	Coverage Δ
...es/OnboardingWorkEmail/BaseOnboardingWorkEmail.tsx	`82.85% <0.00%> (-2.44%)`	⬇️
... and 174 files with indirect coverage changes

blimpich · 2026-03-06T20:23:41Z

Asked for spanish translation here: https://expensify.slack.com/archives/C01GTK53T8Q/p1772828107884809

Corrected the spelling of 'utilizaste' in the work email validation error message.

blimpich · 2026-03-06T20:59:05Z

While we're waiting to validate the spanish translations, might as well open this up to review

melvin-bot · 2026-03-06T20:59:19Z

@aimane-chnaif Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

joekaufmanexpensify

Good for product

aimane-chnaif · 2026-03-10T20:05:11Z

Reviewer Checklist

I have verified the author checklist is complete (all boxes are checked off).
I verified the correct issue is linked in the ### Fixed Issues section above
I verified testing steps are clear and they cover the changes made in this PR
- I verified the steps for local testing are in the Tests section
- I verified the steps for Staging and/or Production testing are in the QA steps section
- I verified the steps cover any possible failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
- I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
I checked that screenshots or videos are included for tests on all platforms
I included screenshots or videos for tests on all platforms
I verified that the composer does not automatically focus or open the keyboard on mobile unless explicitly intended. This includes checking that returning the app from the background does not unexpectedly open the keyboard.
I verified tests pass on all platforms & I tested again on:
- Android: HybridApp
- Android: mWeb Chrome
- iOS: HybridApp
- iOS: mWeb Safari
- MacOS: Chrome / Safari
- MacOS: Desktop
If there are any errors in the console that are unrelated to this PR, I either fixed them (preferred) or linked to where I reported them in Slack
I verified there are no new alerts related to the canBeMissing param for useOnyx
I verified proper code patterns were followed (see Reviewing the code)
- I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick).
- I verified that comments were added to code that is not self explanatory
- I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
- I verified any copy / text shown in the product is localized by adding it 8000 to src/languages/* files and using the translation method
- I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
- I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
- I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
- I verified the JSDocs style guidelines (in STYLE.md) were followed
If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
I verified that this PR follows the guidelines as stated in the Review Guidelines
I verified other components that can be impacted by these changes have been tested, and I retested again (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar have been tested & I retested again)
I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
If a new component is created I verified that:
- A similar component doesn't exist in the codebase
- All props are defined accurately and each prop has a /** comment above it */
- The file is named correctly
- The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
- The only data being stored in the state is data necessary for rendering and nothing else
- For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
- Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
- All JSX used for rendering exists in the render method
- The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
If any new file was added I verified that:
- The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
If a new CSS style is added I verified that:
- A similar style doesn't already exist
- The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG)
If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
- I verified that all the inputs inside a form are aligned with each other.
- I added Design label and/or tagged @Expensify/design so the design team can review the changes.
If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
For any bug fix or new feature in this PR, I verified that sufficient unit tests are included to prevent regressions in this flow.
If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
I have checked off every checkbox in the PR reviewer checklist, including those that don't apply to this PR.

Screenshots/Videos

Android: HybridApp

Android: mWeb Chrome

iOS: HybridApp

iOS: mWeb Safari

MacOS: Chrome / Safari

Screen.Recording.2026-03-11.at.8.37.27.am.mov

aimane-chnaif · 2026-03-10T20:06:31Z

@MelvinBot pull main

…ainValidation Co-authored-by: Aimane Chnaif <aimane-chnaif@users.noreply.github.com>

MelvinBot · 2026-03-10T20:12:07Z

Merged main into this branch.

melvin-bot · 2026-03-10T20:12:11Z

@dukenv0307 @blimpich One of you needs to copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

chatgpt-codex-connector · 2026-03-10T20:25:46Z

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

src/pages/OnboardingWorkEmail/BaseOnboardingWorkEmail.tsx

aimane-chnaif

Looks good other than above comment and Spanish confirmation

blimpich · 2026-03-11T16:20:47Z

~~Still waiting on spanish translation, bumped the thread~~ spanish translation is approved

Co-authored-by: Aimane Chnaif <aimane-chnaif@users.noreply.github.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

MelvinBot · 2026-03-11T16:32:58Z

The failing check is unrelated to this PR's changes.

Failing test: tests/ui/SessionTest.tsx — two "Deep linking" tests:

should not remember the report path of the last deep link login after signing out and in again — exceeded 120s timeout
should not reuse the last deep link and log in again when signing out — "Can't access .root on unmounted test renderer" (cascading failure from the first test timing out)

Why it's unrelated: This PR modifies BaseOnboardingWorkEmail.tsx and language translation files — all related to onboarding work email validation. The failing tests are about deep linking and session management, which are entirely different code paths.

Evidence: Multiple other unrelated PRs are also experiencing flaky test failures in the same CI run window (different tests failing on different branches), confirming this is a pre-existing flaky test issue, not caused by this PR's changes.

melvin-bot · 2026-03-11T16:56:04Z

@aimane-chnaif Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

github-actions · 2026-03-11T17:26:36Z

🚧 @blimpich has triggered a test Expensify/App build. You can view the workflow run here.

github-actions · 2026-03-11T17:33:30Z

🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
Built from App PR #84448.

Android 🤖	iOS 🍎
❌ FAILED ❌	❌ FAILED ❌
The QR code can't be generated, because the Android build failed	The QR code can't be generated, because the iOS build failed

Web 🕸️
❌ FAILED ❌
The QR code can't be generated, because the Web build failed

👀 View the workflow run that generated this build 👀

OSBotify · 2026-03-11T20:05:27Z

🚀 Deployed to staging by https://github.com/blimpich in version: 9.3.36-0 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅

OSBotify · 2026-03-12T22:50:08Z

🚀 Deployed to production by https://github.com/luacmartins in version: 9.3.36-10 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅

MelvinBot assigned blimpich Mar 6, 2026

MelvinBot requested a review from a team March 6, 2026 19:59

MelvinBot mentioned this pull request Mar 6, 2026

[Due for payment 2026-03-19] Onboarding work email: re-add public domain validation and prevent same-email submission #84445

Open

update language files

2a43fa5

swap conditionals so that both cases are testable

4a8690d

Fix Spanish translation for work email validation

d36d624

Corrected the spelling of 'utilizaste' in the work email validation error message.

blimpich marked this pull request as ready for review March 6, 2026 20:59

blimpich requested a review from a team as a code owner March 6, 2026 20:59

melvin-bot bot requested review from aimane-chnaif and removed request for a team March 6, 2026 20:59

melvin-bot bot requested review from joekaufmanexpensify and removed request for a team March 6, 2026 20:59

joekaufmanexpensify previously approved these changes Mar 9, 2026

View reviewed changes

Merge remote-tracking branch 'origin/main' into claude-reAddPublicDom…

a1da551

…ainValidation Co-authored-by: Aimane Chnaif <aimane-chnaif@users.noreply.github.com>

MelvinBot requested a review from a team as a code owner March 10, 2026 20:12

melvin-bot bot requested review from blimpich and dukenv0307 and removed request for a team March 10, 2026 20:12

aimane-chnaif reviewed Mar 11, 2026

View reviewed changes

src/pages/OnboardingWorkEmail/BaseOnboardingWorkEmail.tsx Show resolved Hide resolved

aimane-chnaif approved these changes Mar 11, 2026

View reviewed changes

Fix: Trim email before validation in onboarding work email

4963a42

Co-authored-by: Aimane Chnaif <aimane-chnaif@users.noreply.github.com>

MelvinBot dismissed joekaufmanexpensify’s stale review via 4963a42 March 11, 2026 16:21

Trim email input before validation in onboarding work email

883f9ad

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

blimpich requested review from a team and removed request for dukenv0307 March 11, 2026 16:48

melvin-bot bot requested review from aimane-chnaif and removed request for a team March 11, 2026 16:56

aimane-chnaif approved these changes Mar 11, 2026

View reviewed changes

JS00001 approved these changes Mar 11, 2026

View reviewed changes

blimpich merged commit 63737d5 into main Mar 11, 2026
47 of 48 checks passed

blimpich deleted the claude-reAddPublicDomainValidation branch March 11, 2026 17:03

OSBotify mentioned this pull request Mar 11, 2026

Deploy Checklist: New Expensify 2026-03-11 #84953

Closed

vincdargento mentioned this pull request Mar 11, 2026

Expense - Amount input field loses focus #84960

Closed

7 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Re-add public domain validation and prevent same-email submission on onboarding work email#84448

Re-add public domain validation and prevent same-email submission on onboarding work email#84448
blimpich merged 7 commits intomainfrom
claude-reAddPublicDomainValidation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

Uh oh!

Explanation of Change

Fixed Issues

Tests

Offline tests

QA Steps

PR Author Checklist

Screenshots/Videos

Uh oh!

🦜 Polyglot Parrot! 🦜

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewer Checklist

Screenshots/Videos

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants