Require Arkose challenge before send phone code or verify with CC
Implements part of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/672+
Context
Previously, both Arkose challenge and reCAPTCHA were used to protect phone number and credit card verification endpoints from automation.
These challenges were required only when specific rate limits were exceeded as listed below:
- Users were required to solve an Arkose challenge before they were allowed to send or validate a phone number verification code after two previous attempts
- ReCAPTCHA was required, replacing Arkose challenge, before a user was allowed to send or validate a phone number verification code when Telesign transactions exceeded 16k for the current day
- ReCAPTCHA was required, before a user was allowed to verify a credit card when Telesign transactions exceeded 16k for the current day
What does this MR do?
In this MR, the challenge requirement is simplified such that
- Users need to solve an Arkose challenge before they are allowed to send a phone number verification code or or verify a credit card
- Users that are required both phone number and credit card only need to solve an Arkose challenge to perform whichever verification method comes first
- Challenge requirement to perform phone number code verification is removed
- ReCAPTCHA is no longer utilized
Is this MR backwards compatible?
Below are known compatibility issues brought by this MR and mitigation plan to prevent breaking production:
This is a problem when | Mitigation plan | Action required | |
---|---|---|---|
FE tries to access methods_requiring_arkose_challenge from BE |
BE is an older version | Degrade gracefully: default to [] (implemented in !152335 (f80fdf4d)) |
None. Already implemented. |
BE requires Arkose token from FE | BE is an older version | Disable arkose_labs_phone_verification_challenge FF. Disabling is okay since we plan to remove the functionality behind the FF with this MR. |
Disable arkose_labs_phone_verification_challenge FF before merge |
BE requires Arkose token from FE | FE is an older version | This is covered by the FF introduced in this MR | None. Already implemented. |
Aside from the above, the BE and FE changes in this MR were written such that they degrade gracefully against old counterpart.
What is not in this MR?
This MR does not include cleanup of unused code as a result of the updates to keep the diff manageable during review. Clean up will be done in a separate MR (see task).
Planned further improvements
With the changes in this MR, a user may encounter two successive Arkose challenge requirements—while filling in the signup form and when they first attempt to verify a phone number. We plan to improve this in a separate MR (see Skip challenge requirement on first attempt if user solved challenge during signup).
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screen_Recording_2024-05-16_at_3.07.42_PM
How to set up and validate locally
-
Ensure that you have a working local CustomersDot installation with Zuora integration and
zuora_cc_registration_validation_payment_page_id
set to an active hosted payment page -
Start GDK simulating SaaS
$ export GITLAB_SIMULATE_SAAS=1 $ gdk start
-
Enable FFs
$ rails c > Feature.enable(:identity_verification) > Feature.enable(:identity_verification_phone_number) > Feature.enable(:identity_verification_credit_card) > Feature.enable(:identity_verification_arkose_challenge)
-
Setup Telesign
$ rails c > ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')
Credentials are in 1Password under Telesign API Keys (use
GITLAB - DEVELOPMENT
) -
Setup Arkose
> ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", ) > ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")
Note: credentials are in 1Password under
ArkoseLabs API keys (DEVELOPMENT)
-
Go to http://localhost:3000/users/sign_up, fill in the signup form, (optionally) solve the Arkose challenge, and then click
Register
-
Set the new user's Arkose risk score to
'High'
. This will require the user to verify their email, phone number, and credit card$ rails c > User.last.custom_attributes.find_by_key('arkose_risk_band').update(value: 'High')
-
Go back to your browser and validate that email, phone number, and credit card are now required
-
Go to http://localhost:3000/rails/letter_opener, get the sent email confirmation code, and verify the user's email
You can also just update the user's
confirmed_at
in Rails console$ rails c > User.last.update(confirmed_at: Time.now)
-
Verify that an Arkose challenge is required before you are allowed to send a phone number verification code
-
Go through phone number verification
-
Verify that NO Arkose challenge is required before you are allowed to verify a credit card