Add Identity Verification for Invite flow
What does this MR do and why?
This adds Identity Verification for the Invite flow.
Before this change, invited users would get an Arkose score, but would always be handled as Low risk. This is because:
- the Arkose score was saved after the sign up request and
- email addresses of invited users are auto-confirmed
This MR enables Identity Verification for invited users by:
- Saving the Arkose risk score on the user before the first call to
active_for_authentication?
- Override
active_for_authentication?
so auto-confirmed users are not signed in automatically if they are Medium or High risk
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/127+
How to set up and validate locally
-
Enable identity verification and Arkose Labs on signup (the Arkose Labs public and private API keys can be found in the 1Password Engineering Vault entry named ArkoseLabs API keys > GITLAB - DEVELOPMENT - REGISTRATION FLOW)
Feature.enable(:identity_verification) Feature.enable(:identity_verification_phone_number) Feature.enable(:arkose_labs_signup_challenge) Feature.disable(:soft_email_confirmation) ApplicationSetting.current.update(email_confirmation_setting: 2) ApplicationSetting.current.update(require_admin_approval_after_user_signup: false) ApplicationSetting.current.update(arkose_labs_public_api_key: ***, arkose_labs_private_api_key: ***, arkose_labs_namespace: 'client')
-
Force ArkoseLabs to always require the user to solve the challenge. Update
ee/app/assets/javascripts/arkose_labs/components/sign_up_arkose_app.vue
, line 63:arkoseObject.setConfig({ + data: { id: 'ML_defence' }, // ADD THIS LINE mode: 'inline', selector: `.${this.arkoseContainerClass}`, onShown: this.onArkoseLabsIframeShown, onCompleted: this.passArkoseLabsChallenge, });
-
Go to a local group's members page (
http://localhost:3000/groups/{local_group}/-/group_members
) and click theInvite members
button -
Fill in an email address and click
Invite
-
Go to http://localhost:3000/rails/letter_opener and open the link from the
Join now
button in an incognito tab (the link looks likehttp://localhost:3000/-/invites/zPrSs1e4KZ1qZD2ff9Jw?invite_type=initial_email
) -
Register the user
-
Verify you are redirected to
http://localhost:3000/users/identity_verification
and the page looks like this:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.