Skip to content

Identity Verification should only affect new users

Eugie Limpin requested to merge el-limit-identity-verification-to-new-users into master

Resolves: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/239

What does this MR do and why?

This MR updates the logic that determines users' identity verification state (User#identity_verified?) so that the Identity Verification flow only affects new users.

The updated logic treats users that have already signed in before as verified if their email is already verified.

This prevents the scenario where a user has to verify their identity multiple times. For example:

  1. identity_verification FF is enabled while identity_verification_credit_card is disabled
  2. A user registers, is assigned High risk band, verifies their email as prompted, and starts using GitLab
  3. identity_verification_credit_card FF is enabled
  4. User signs out and signs in again
  5. User is redirected to Identity Verification which requires them to verify their credit card

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Set up

  1. Toggle identity_verification* feature flags and disable require_admin_approval_after_user_signup

    $ rails console
> Feature.disable(:arkose_labs_signup_challenge) # disable this. We'll just manually assign a risk band for the user in step 4
> Feature.enable(:identity_verification)
> Feature.disable(:identity_verification_credit_card) # disable this for now
> ApplicationSetting.first.update(require_admin_approval_after_user_signup: false)

  2. Create a new user from /users/sign_up

  3. Validate that you are redirected to the Identity Verification page with the email verification step

    🖼

    Screenshot_2023-02-14_at_3.42.58_PM

  4. Assign "High" ArkoseLabs risk band to the user

    $ rails console
> UserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'High')

  5. Get the email verification code from Letter Opener (http://localhost:3000/rails/letter_opener) and use it to verify the new user's email

Validate

  1. Sign out
  2. Enable identity_verification_credit_card feature flag 
    $ rails console
> Feature.enable(:identity_verification_credit_card)
  3. Sign in
  4. Validate that you are not redirected to Identity Verification page

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports