Phone Verification: Verify Code
What does this MR do and why?
Part of the bigger epic https://gitlab.com/groups/gitlab-org/modelops/anti-abuse/-/epics/3 to ask users to verify their phone number if they are considered medium/high risk.
This MR introduces the VerifyPhoneVerificationCode
component along with the PhoneVerification::Users::VerifyCodeService
which completes the entire phone verification feature.
- Creates POST route
users/identity_verification/verify_phone_verification_code
- Creates method in controller which calls the
::PhoneVerification::Users::VerifyCodeService
. This service talks to our external providerTelesign
to verify the code sent to the user. -
ApplicationRateLimiter
is used to throttle the requests. Currently, it's set to a max of 10 attempts. - Integrates this route with the front-end component
Screenshots or screen recordings
How to set up and validate locally
- Configure application settings to let a user sign-up without admin confirmation, and to require an email confirmation to be sent to the user.
> ::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false, send_user_confirmation_email: true)
- Configure Arkose and TeleSign. Both of their credentials are in 1Password. Arkose will tell us which risk band a user is on - low, medium or high. Phone Verification is only asked of users if they are in the medium/high band. Telesign is used to send the verification code via SMS.
> Feature.enable(:arkose_labs_signup_challenge)
> ::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
> ::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
- Enable feature flags for identity verification
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_phone_number)
- Sign up for a new account. After, you should be redirected to the Identity Verification page (
http://localhost:3000/users/identity_verification
) - Update the new user's risk band data to have
'Medium'
value and refresh the identity verification page
> u = User.last
> risk_band = u.custom_attributes.by_key('arkose_risk_band').first
> risk_band.update(value: 'Medium')
-
Validate that phone number verification step is shown
-
Enter in your phone number to verify it. The phone verification step should be marked as complete.
-
If you'd like to re-test the flow, you can reset it deleting the record
> ::Users::PhoneNumberValidation.last.delete
OR
> :Users::PhoneNumberValidation.last.update(validated_at: nil)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/79