Skip to content

Add reCAPTCHA to credit card verification

What does this MR do and why?

Screenshots or screen recordings

cc_captcha_720

How to set up and validate locally

  1. Turn on feature flag
Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
Feature.enable(:soft_limit_daily_phone_verifications)
  1. Update application setting to turn on identity verification
ApplicationSetting.first.update(require_admin_approval_after_user_signup: false, email_confirmation_setting: "hard")
  1. Get credentials from 1Password to connect to our external services. They will be under ArkoseLabs API keys (Development), Telesign API keys (Development) and Google reCAPTCHA (Development)
ApplicationSetting.first.update(arkose_labs_public_api_key: XX, arkose_labs_private_api_key: XX)
ApplicationSetting.first.update(telesign_customer_xid: XX, telesign_api_key: XX)
ApplicationSetting.first.update(recaptcha_site_key: XX, recaptcha_private_key: XX)
  1. Sign-up as a new user from /users/sign_up. You should see a page with content Help us keep GitLab secure.

  2. Turn on credit-card verification for the user:

UserCustomAttribute.where(user: User.last, key: 'arkose_risk_band').update(value: 'High')
User.last.update(confirmed_at: Time.now)
Users::PhoneNumberValidation.create(international_dial_code: 1, phone_number: '333', country: 'US', validated_at: Time.now, user: User.last)
  1. To trigger reCAPTCHA, apply the following patch (in order to test this we need to reduce the threshold for the number of requests from 16K to 1):
diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb
index 5a57a14c4209..3a801c370e71 100644
--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -55,7 +55,7 @@ def rate_limits # rubocop:disable Metrics/AbcSize
           phone_verification_challenge: { threshold: 2, interval: 1.day },
           phone_verification_send_code: { threshold: 5, interval: 1.day },
           phone_verification_verify_code: { threshold: 5, interval: 1.day },
-          soft_phone_verification_transactions_limit: { threshold: 16_000, interval: 1.day },
+          soft_phone_verification_transactions_limit: { threshold: 1, interval: 1.day },
           namespace_exists: { threshold: 20, interval: 1.minute },
           update_namespace_name: { threshold: -> { application_settings.update_namespace_name_rate_limit }, interval: 1.hour },
           fetch_google_ip_list: { threshold: 10, interval: 1.minute },
  1. And run the following command in the rails console twice:
Gitlab::ApplicationRateLimiter.throttled?(:soft_phone_verification_transactions_limit, scope: nil)
  1. Lastly, refresh the page. You should see a card for credit-card verification with reCAPTCHA.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hinam Mehra

Merge request reports

Loading