Skip to content

Add Identity Verification for Invite flow

Alex Buijs requested to merge identity-verification-for-invite-flow into master

What does this MR do and why?

This adds Identity Verification for the Invite flow.

Before this change, invited users would get an Arkose score, but would always be handled as Low risk. This is because:

  • the Arkose score was saved after the sign up request and
  • email addresses of invited users are auto-confirmed

This MR enables Identity Verification for invited users by:

  1. Saving the Arkose risk score on the user before the first call to active_for_authentication?
  2. Override active_for_authentication? so auto-confirmed users are not signed in automatically if they are Medium or High risk

Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/127+

How to set up and validate locally

  1. Enable identity verification and Arkose Labs on signup (the Arkose Labs public and private API keys can be found in the 1Password Engineering Vault entry named ArkoseLabs API keys > GITLAB - DEVELOPMENT - REGISTRATION FLOW)

    Feature.enable(:identity_verification)
    Feature.enable(:identity_verification_phone_number)
    Feature.enable(:arkose_labs_signup_challenge)
    Feature.disable(:soft_email_confirmation)
    ApplicationSetting.current.update(email_confirmation_setting: 2)
    ApplicationSetting.current.update(require_admin_approval_after_user_signup: false)
    ApplicationSetting.current.update(arkose_labs_public_api_key: ***, arkose_labs_private_api_key: ***, arkose_labs_namespace: 'client')
  2. Force ArkoseLabs to always require the user to solve the challenge. Update ee/app/assets/javascripts/arkose_labs/components/sign_up_arkose_app.vue, line 63:

    arkoseObject.setConfig({
    + data: { id: 'ML_defence' }, // ADD THIS LINE
      mode: 'inline',
      selector: `.${this.arkoseContainerClass}`,
      onShown: this.onArkoseLabsIframeShown,
      onCompleted: this.passArkoseLabsChallenge,
    });
  3. Go to a local group's members page (http://localhost:3000/groups/{local_group}/-/group_members) and click the Invite members button

  4. Fill in an email address and click Invite

  5. Go to http://localhost:3000/rails/letter_opener and open the link from the Join now button in an incognito tab (the link looks like http://localhost:3000/-/invites/zPrSs1e4KZ1qZD2ff9Jw?invite_type=initial_email)

  6. Register the user

  7. Verify you are redirected to http://localhost:3000/users/identity_verification and the page looks like this: Screenshot_2023-03-02_at_13.59.12

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Alex Buijs

Merge request reports

Loading