Skip to content

Hard limit daily phone verification transactions

Eugie Limpin requested to merge el-hard-limit-phone-verification-transactions into master

What does this MR do and why?

  1. Partially resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/542+
  2. Requires !138287 (merged)
  3. Related to incident 17141

When phone verification transactions (successfully sent SMS) exceeds the hard daily limit of 20_000 phone verification will be turned off until the rate limit is reset at the end of the current day (UTC).

Until the rate limit is reset all users are assumed high risk regardless of the Arkose risk band assigned to them. This means all users are required to verify 1. email 2. credit card.

How to set up and validate locally

  1. Enable the relevant feature flags

    > Feature.enable(:arkose_labs_signup_challenge)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification_credit_card)
> Feature.enable(:identity_verification)
> Feature.enable(:hard_limit_daily_phone_verifications)

  2. Configure application settings for Identity Verification

    > ApplicationSetting.first.update(email_confirmation_setting: 'hard', require_admin_approval_after_user_signup: false)
> ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY")
> ApplicationSetting.first.update(telesign_customer_xid: 'XXX', telesign_api_key: 'YYY')

    Note: credentials are in 1Password under Telesign API keys (Development) and ArkoseLabs API keys (Development)

  3. Update the rate limit value to testing-friendly values

    # ee/lib/ee/gitlab/application_rate_limiter.rb

# hard_phone_verification_transactions_limit: { threshold: 20_000, interval: 1.day }
hard_phone_verification_transactions_limit: { threshold: 2, interval: 20.minutes }

  4. Restart GDK

  5. Visit http://localhost:3000/users/sign_up to register a new user

  6. Force user to have medium risk

    > User.last.custom_attributes.by_key('arkose_risk_band').first.update!(value: 'Medium')

  7. Verify the user's email

    > User.last.update(confirmed_at: Time.zone.now)
    Screencast for steps 5-7 Screen_Recording_2023-11-30_at_5.41.12_PM

  8. On the phone verification step, send a code 3 times to exceed the hard limit of phone verifications

    Screencast Screen_Recording_2023-12-05_at_6.49.14_PM

  9. Refresh the page

  10. Verify that the user is now required to complete email, credit card verification in that exact order Screenshot_2023-12-05_at_6.52.56_PM

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports