Skip to content

Improve TeleSign logging

Hinam Mehra requested to merge anti-abuse/342-improve-telesign-logging into master

What does this MR do and why?

  • TeleSign is 3rd party tool we use to verify user's phone number.
  • This change to the logging structure makes it easier to track user journey by just running json.message: IdentityVerification*. This will give us a clear idea on how the user went verifying their email, phone and credit card.
  • Logging the entire TeleSign response was logging too much information about a user's phone number which we don't want, so this change just logs the status of the response.
  • Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/342

Screenshots or screen recordings

Before After
"message":"Received a risk score for a phone number from Telesign","telesign_response":{"reference_id":"661E381B66CC121C93010BC58EC0C749","sub_resource":"score","status":{"updated_on":"2023-04-17T07:03:46.462049Z","code":300,"description":"Transaction successfully completed"},"errors":[],"numbering":{"original":{"complete_phone_number":"1555","country_code":"1","phone_number":"555"},"cleansing":{"call":{"country_code":"1","phone_number":"555","cleansed_code":103,"min_length":null,"max_length":null},"sms":{"country_code":"1","phone_number":"555","cleansed_code":103,"min_length":null,"max_length":null}}},"risk_insights":{"status":800,"category":[10040],"a2p":[22001,20011,20101],"p2p":[30201],"number_type":[40004],"ip":[],"email":[]},"phone_type":{"code":"8","description":"INVALID"},"location":{"city":null,"state":null,"zip":null,"metro_code":null,"county":null,"country":{"name":"United States","iso2":"US","iso3":"USA"},"coordinates":{"latitude":null,"longitude":null},"time_zone":{"name":null,"utc_offset_min":null,"utc_offset_max":null}},"carrier":{"name":""},"blocklisting":{"blocked":false,"block_code":0,"block_description":"Not blocked"},"risk":{"level":"very-high","recommendation":"block","score":907}},"telesign_status_code":"200","user_id":"20"} "class":"PhoneVerification::TelesignClient::RiskScoreService","message":"IdentityVerification::Phone","event":"Received a risk score for a phone number from Telesign","telesign_response":"Transaction successfully completed","telesign_status_code":"200","username":"iv1"}

How to set up and validate locally

  1. Enable Phone Verification in rails console:
Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
ApplicationSetting.first.update(email_confirmation_setting: "hard", require_admin_approval_after_user_signup: false, 
telesign_customer_xid: "<FOUND_IN_1PASSWORD>", telesign_api_key: "<FOUND_IN_1PASSWORD>")
  1. Sign-up as a new user. You will taken to the identity verification page where you will be asked to verify your email address.
  2. Mark the user as medium risk in the console:
UserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'MEDIUM')
  1. Refresh the page, you should now see a section to verify your phone number.
  2. Enter any phone number and click on Send code.
  3. Look for a new log entry in log/application.log. You can search for IdentityVerification::Phone

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hinam Mehra

Merge request reports