Phone Verification: Send SMS to user
What does this MR do and why?
Part of the bigger epic https://gitlab.com/groups/gitlab-org/modelops/anti-abuse/-/epics/3 to ask users to verify their phone number if they are considered medium/high risk.
This MR integrates the front-end component InternationalPhoneInput
created in !96529 (merged) with the TeleSign backend services added in !100494 (merged). As part of that it:
- Creates POST route
users/identity_verification/send_phone_verification_code
- Creates method in controller which calls the
::PhoneVerification::Users::SendVerificationCodeService
. This service assesses whether the request is valid first -- eg. not a high risk number like 911, not related to an already banned user, not rate limited. If it is, it will send an SMS to the phone number entered by the user. -
ApplicationRateLimiter
is used to throttle the requests. Currently, it's set to a max of 10 attempts. - Integrates this route with the front-end component
InternationalPhoneInput
Screenshots or screen recordings
How to set up and validate locally
- Configure application settings to let a user sign-up without admin confirmation, and to require an email confirmation to be sent to the user.
> ::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false, send_user_confirmation_email: true)
- Configure Arkose and TeleSign. They are both external services that we use. Arkose will tell us which risk band a user is on - low, medium or high. Phone Verification is only asked of users if they are in the medium/high band. TeleSign is used to send the verification code via SMS.
> Feature.enable(:arkose_labs_signup_challenge)
> ::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
> ::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
- Enable feature flags for identity verification
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_phone_number)
-
Sign up for a new account. After, you should be redirected to the Identity Verification page (
http://localhost:3000/users/identity_verification
) -
Update the new user's risk band data to have
'Medium'
value and refresh the identity verification page
> u = User.last
> risk_band = u.custom_attributes.by_key('arkose_risk_band').first
> risk_band.update(value: 'Medium')
- Validate that phone number verification step is shown
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/78