Enable phone/cc verification auto-swap for opt-in identity verification
What does this MR do and why?
Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/629?work_item_iid=655.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screen_Recording_2024-04-22_at_5.05.58_PM
How to set up and validate locally
-
Start GDK with SaaS simulation
$ export GITLAB_SIMULATE_SAAS=1 $ gdk start
-
Enable the relevant feature flags and configure required settings
$ rails c > Feature.enable(:opt_in_identity_verification) > Feature.enable(:identity_verification_phone_number) > Feature.enable(:identity_verification_credit_card) > Feature.enable(:auto_request_phone_number_verification_exemption, type: :gitlab_com_derisk)
-
Setup Telesign
$ rails c > ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')
Credentials are in 1Password under Telesign API Keys (use
GITLAB - DEVELOPMENT
) -
Update
ee/lib/telesign/transaction_callback.rb
to skip authentication of requests to/-/phone_verification/telesign_callback
diff --git a/ee/lib/telesign/transaction_callback.rb b/ee/lib/telesign/transaction_callback.rb index 679ef54a23770..843c276183b1d 100644 --- a/ee/lib/telesign/transaction_callback.rb +++ b/ee/lib/telesign/transaction_callback.rb @@ -14,6 +14,7 @@ def initialize(request, params) end def valid? + return true return false unless signature.present? # https://developer.telesign.com/enterprise/docs/authenticate-callbacks
-
Login with
root
user -
Send a code to a valid phone number
-
Update the reference id of the created phone number validation record
$ rails c > User.first.phone_number_validation.update(telesign_reference_xid: '2557312299CC1304904080F4BE17BFB4')
-
Send a test callback request
$ curl -X POST http://localhost:3000/-/phone_verification/telesign_callback -H 'Content-Type: application/json' -d '{ "status": { "updated_on": "2016-07-08T20:52:46.417428Z", "code": 237, "description": "Error delivering SMS to handset (reason unknown)" }, "errors": {}, "reference_id": "2557312299CC1304904080F4BE17BFB4" }'
-
Validate that
"Phone number verification is unavailable at this time. Please verify with a credit card instead."
info alert is displayed -
Validate that
Step 2: Verify phone number
replaced withStep 2: Verify a payment method