Prevent reuse of credit cards that were previously used by banned users
What does this MR do and why?
This MR resolves (task) Prevent credit cards associated with previously banned accounts from creating new accounts as part of CC/Phone Verification should fail for medium/high risk users that use a cc or phone number that has previously been banned.
It updates the credit card verification step of identity verification to add a check ensuring the credit card provided by the user has not been previously used by a banned user. If the provided credit card details are reused the step fails and the user is prompted to try a different credit card.
The check is done by searching for Users::CreditCardValidation
records associated with a Users::BannedUser
that matches the following details of the provided credit card:
- Card expiration date
- Last four digits of the card
- Card network (Visa, Mastercard, etc.)
- Cardholder name
Database changes
Queries for Users::CreditCardValidation#similar_records
and Users::CreditCardValidation#similar_holder_names_count
are unchanged hence their absence in this section. The methods are only refactored to extract scopes that can be reused for Users::CreditCardValidation#used_by_banned_user?
.
Users::CreditCardValidation#used_by_banned_user?
Raw SQL
SELECT
1 AS one
FROM
"user_credit_card_validations"
INNER JOIN "banned_users" ON "banned_users"."user_id" = "user_credit_card_validations"."user_id"
WHERE
"user_credit_card_validations"."expiration_date" = '2024-09-24'
AND "user_credit_card_validations"."last_digits" = 5932
AND "user_credit_card_validations"."network" = 'Mastercard'
AND (lower(holder_name) = lower('EUGIE L LIMPIN'))
LIMIT 1
Screenshots or screen recordings
Case | |
---|---|
User used a credit card that was already used by a banned user | Screen_Recording_2023-04-18_at_4.17.31_PM |
User used a "clean" credit card | Screen_Recording_2023-04-18_at_4.22.41_PM |
How to set up and validate locally
Set up
-
Ensure that you have a local CustomersDot installation with Zuora setup to use
Eugie CC Payment
hosted page.Eugie CC Payment
is configured to point to a local GDK instance running on http://localhost:3000 -
Run GDK emulating SAAS
$ export GITLAB_SIMULATE_SAAS=1 $ gdk start
-
Enable feature flags
$ rails console > Feature.enable(:identity_verification) > Feature.enable(:identity_verification_credit_card)
Also,
- Ensure
arkose_labs_signup_challenge
,arkose_labs_login_challenge
, andidentity_verification_phone_number
feature flags are disabled -
Gitlab::CurrentSettings.require_admin_approval_after_user_signup
isfalse
-
Gitlab::CurrentSettings.email_confirmation_setting
is'hard'
- Ensure
-
Create a banned user and a corresponding
Users::CreditCardValidation
$ rails console # Let's use the second user > banned_user = User.find(2) > banned_user.ban! > banned_user.banned? => true > Users::CreditCardValidation.create(user: banned_user, credit_card_validated_at: 1.month.ago, expiration_date: 7.years.from_now.end_of_month, last_digits: 4242, holder_name: 'Chris McLovin', network: 'Visa')
Validate
- Create a new user via http://localhost:3000/users/sign_up
- After signing up you should see the identity verification page
- Assign a
High
ArkoseLabs risk score to the new user$ rails console > UserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'High')
- Refresh the identity verification page. You should now see the credit card verification step
- Fill in and submit the form with the following values
Name on card: "Chris McLovin" Card number: 4242 4242 4242 4242 Expiration date: 04/2030 CVC: Any 3-digit number
- Validate that an error is shown and the credit card form is redisplayed
- Fill in and submit the form with the following values
Name on card: Any as long as it's not "Chris McLovin" Card number: 4242 4242 4242 4242 Expiration date: Any future date as long as it's not 04/2030 CVC: Any 3-digit number
- Validate that the verification step succeeds
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.