fix(oauth): respect disable_institution_search for the navigation back button#353
Open
rubendinho wants to merge 1 commit into
Open
Conversation
…k button OAuthStep and OAuthError always reported showBackButton() as true, so the global navigation back button rendered on OAuth screens even when the widget was loaded with disable_institution_search: true. Clicking it also reset the step stack to the (disabled) institution search. The non-OAuth credential screens already hide the button in this configuration. The button remains available for the interstitial disclosure and waiting-for-OAuth sub-views, which handle back within the OAuth step. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
rubendinho
requested review from
Jameson13B,
ash-wright123,
codingLogan,
mwclemy and
wesrisenmay-mx
as code owners
July 16, 2026 03:49
Collaborator
|
Hello Ruben. Are you with one of MX's clients? If so, we request that all bugs/issues are reported to your MX contact directly so we can follow our correct process in resolving issues like this. Hiding the back button, l do not believe aligns with the goals of the product. So we need to receive an official bug/issue report and can look into options that align with the product goals. Thanks again! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
👋 Hi Connect team! We are heavy users of the MX Connect widget, and this PR addresses an inconsistency we've been discussing with our MX contacts (Kyle H and Rohini S): when the widget is loaded with
disable_institution_search: true, the navigation back button is hidden on the credential-based screens but still shows up on the OAuth screens.Config that reproduces it:
{ "mode": "aggregation", "current_institution_code": "mx_bank_oauth", "disable_institution_search": true }Since our UI provides its own navigation around the widget, the extra arrow gives end users two competing back buttons — and the widget-internal one strands them on the (disabled) search step.
I read through the codebase and threw some tokens at it based on my understanding of the issue and wanted to hand this PR off to the team to see if we can get this addressed.
Root cause
ConnectNavigationHeaderdelegates back-button visibility to the active step component throughshowBackButton(). The credential and consent views already consult the flag:Credentials.js→(!isProcessingMember && !connectConfig.disable_institution_search) || showInterstitialDisclosureDynamicDisclosure.tsx→!connectConfig.disable_institution_search…but
OAuthStep.jsandOAuthError.jsreturntrueunconditionally. OnOAuthStep, the click handler then dispatchesGO_BACK_CREDENTIALS, whose reducer resets the location stack to[{ step: SEARCH }], so the user lands on the disabled search screen — whereSearch.showBackButton()returnsfalseand themx/navigationback action is refused when the flag is set, so there's no way back out.Changes
OAuthStep.showBackButton()now returnsfalsewhendisable_institution_searchis set, except for the interstitial disclosure and waiting-for-OAuth sub-views, where "back" is handled within the step (mirrors theshowInterstitialDisclosurecarve-out inCredentials)OAuthError.showBackButton()gets the same treatment — "Try again" remains as the screen's primary actionRelated spots we noticed (left out to keep this minimal)
While tracing this we spotted a few adjacent code paths where the same treatment may make sense — happy to follow up with another PR if useful:
goBackCredentialsreducer (src/redux/reducers/Connect.js) unconditionally resets the location stack to[{ step: SEARCH }]. Respectingdisable_institution_searchthere would be defense-in-depth: no future view could navigate into a disabled search even if it forgets to check the flag inshowBackButton().LoginError's "Try another institution" secondary action (shown forREJECTEDmembers) dispatchesLOGIN_ERROR_START_OVERback to search regardless of the flag, while the OK primary action on the same screen already checks it.getStartingStep(src/redux/reducers/Connect.js) never considers the flag — loading withdisable_institution_search: truebut withoutcurrent_institution_guid/current_institution_code/current_member_guidstill boots intoSEARCH. Surfacing a config error (like the existingConfigErrorpath) might be friendlier than showing a search screen the host believes is disabled.Testing
npx vitest run src/views/oauth src/components/__tests__/ConnectNavigationHeader-test.jsx— all tests passnpm run lintpasses (via lint-staged on commit)tscreports no new errors (the pre-existing ones inOAuthStep-test.tsx/WaitingForOAuth-test.tsxare unchanged)Thanks for taking a look! 🙏