Skip to content

Set sms_send_count to 1 if last SMS was sent before the current day

Eugie Limpin requested to merge el-reset-sms-send-data into master

Context

Currently, sms_send_count and sms_sent_at are only reset when a user is rate limited and the user has to wait for the current day (UTC) to end before they can trigger SMS send again.

Without resetting these values after the current day the following flow can happen:

  1. Day 1: User triggers SMS send but does not use the sent code - next SMS send is only allowed after 1 minute (correct behavior)
  2. Day 2: User triggers SMS send - instead of the expected 1 minute wait time they have to wait for 3 minutes
  3. Day 3: User triggers SMS send - instead of the expected 1 minute wait time they have to wait for 5 minutes
  4. Day 4: User triggers SMS send - instead of the expected 1 minute wait time they have to wait for 10 minutes

What does this MR do?

Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/573

This MR updates PhoneVerification::Users::SendVerificationCodeService such that it sets sms_send_count to 1 instead of incrementing it when the previous SMS (sms_sent_at) was sent before the current day.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  1. Enable the relevant feature flags

    > Feature.enable(:arkose_labs_signup_challenge)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification)
> Feature.enable(:sms_send_wait_time)

  2. Configure application settings for Identity Verification

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", require_admin_approval_after_user_signup: false, email_confirmation_setting: 'hard')
> ApplicationSetting.first.update(telesign_customer_xid: 'XXX', telesign_api_key: 'YYY')

    Note: credentials are in 1Password under Telesign API keys (Development) and ArkoseLabs API keys (Development)

  3. Register a new user

  4. Force user to have medium risk

    > User.last.custom_attributes.by_key('arkose_risk_band').first.update!(value: 'Medium')

  5. Verify the user's email

    > User.last.update(confirmed_at: Time.zone.now)

  6. On the phone verification step, send a code to a valid phone number

  7. Verify that resend links and buttons are disabled and displays a 1 minute wait time

  8. Update sms_sent_at have a timestamp value earlier than the current day

    > User.last.phone_number_validation.update(sms_sent_at: 1.day.ago)

  9. Reload the Identity Verification page. Verify that the Send code button is enabled again.

  10. Send a code to a valid phone number

  11. Verify that resend links and buttons are disabled and displays a 1 minute wait time (not 3 minutes)

Edited by Eugie Limpin

Merge request reports