Add reCAPTCHA to credit card verification

What does this MR do and why?

• Resolves sub-task 2 https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/543
• Related to an incident, https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17141
• Follows up from MR, !138290 (merged)
• If the total number of requests for phone verification exceed 16K in a day, we will show reCAPTCHA to all users during credit verification as well. This is to prevent bots from DDoS our phone + credit card verification endpoints.

Screenshots or screen recordings

cc_captcha_720

How to set up and validate locally

1. Turn on feature flag

Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
Feature.enable(:soft_limit_daily_phone_verifications)

2. Update application setting to turn on identity verification

ApplicationSetting.first.update(require_admin_approval_after_user_signup: false, email_confirmation_setting: "hard")

3. Get credentials from 1Password to connect to our external services. They will be under ArkoseLabs API keys (Development), Telesign API keys (Development) and Google reCAPTCHA (Development)

ApplicationSetting.first.update(arkose_labs_public_api_key: XX, arkose_labs_private_api_key: XX)
ApplicationSetting.first.update(telesign_customer_xid: XX, telesign_api_key: XX)
ApplicationSetting.first.update(recaptcha_site_key: XX, recaptcha_private_key: XX)

4. Sign-up as a new user from /users/sign_up. You should see a page with content Help us keep GitLab secure.

5. Turn on credit-card verification for the user:

UserCustomAttribute.where(user: User.last, key: 'arkose_risk_band').update(value: 'High')
User.last.update(confirmed_at: Time.now)
Users::PhoneNumberValidation.create(international_dial_code: 1, phone_number: '333', country: 'US', validated_at: Time.now, user: User.last)

6. To trigger reCAPTCHA, apply the following patch (in order to test this we need to reduce the threshold for the number of requests from 16K to 1):

diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb
index 5a57a14c4209..3a801c370e71 100644
--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -55,7 +55,7 @@ def rate_limits # rubocop:disable Metrics/AbcSize
           phone_verification_challenge: { threshold: 2, interval: 1.day },
           phone_verification_send_code: { threshold: 5, interval: 1.day },
           phone_verification_verify_code: { threshold: 5, interval: 1.day },
-          soft_phone_verification_transactions_limit: { threshold: 16_000, interval: 1.day },
+          soft_phone_verification_transactions_limit: { threshold: 1, interval: 1.day },
           namespace_exists: { threshold: 20, interval: 1.minute },
           update_namespace_name: { threshold: -> { application_settings.update_namespace_name_rate_limit }, interval: 1.hour },
           fetch_google_ip_list: { threshold: 10, interval: 1.minute },

7. And run the following command in the rails console twice:

Gitlab::ApplicationRateLimiter.throttled?(:soft_phone_verification_transactions_limit, scope: nil)

8. Lastly, refresh the page. You should see a card for credit-card verification with reCAPTCHA.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.