Skip to content

Require Arkose challenge before send phone code or verify with CC

Eugie Limpin requested to merge el-signup-iv-challenge-on-send into master

Implements part of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/672+

Context

Previously, both Arkose challenge and reCAPTCHA were used to protect phone number and credit card verification endpoints from automation.

These challenges were required only when specific rate limits were exceeded as listed below:

  1. Users were required to solve an Arkose challenge before they were allowed to send or validate a phone number verification code after two previous attempts
  2. ReCAPTCHA was required, replacing Arkose challenge, before a user was allowed to send or validate a phone number verification code when Telesign transactions exceeded 16k for the current day
  3. ReCAPTCHA was required, before a user was allowed to verify a credit card when Telesign transactions exceeded 16k for the current day

What does this MR do?

In this MR, the challenge requirement is simplified such that

  1. Users need to solve an Arkose challenge before they are allowed to send a phone number verification code or or verify a credit card
  2. Users that are required both phone number and credit card only need to solve an Arkose challenge to perform whichever verification method comes first
  3. Challenge requirement to perform phone number code verification is removed
  4. ReCAPTCHA is no longer utilized

Is this MR backwards compatible?

Below are known compatibility issues brought by this MR and mitigation plan to prevent breaking production:

This is a problem when Mitigation plan Action required
FE tries to access methods_requiring_arkose_challenge from BE BE is an older version Degrade gracefully: default to [] (implemented in !152335 (f80fdf4d)) None. Already implemented.
BE requires Arkose token from FE BE is an older version Disable arkose_labs_phone_verification_challenge FF. Disabling is okay since we plan to remove the functionality behind the FF with this MR. Disable arkose_labs_phone_verification_challenge FF before merge
BE requires Arkose token from FE FE is an older version This is covered by the FF introduced in this MR None. Already implemented.

Aside from the above, the BE and FE changes in this MR were written such that they degrade gracefully against old counterpart.

What is not in this MR?

This MR does not include cleanup of unused code as a result of the updates to keep the diff manageable during review. Clean up will be done in a separate MR (see task).

Planned further improvements

With the changes in this MR, a user may encounter two successive Arkose challenge requirements—while filling in the signup form and when they first attempt to verify a phone number. We plan to improve this in a separate MR (see Skip challenge requirement on first attempt if user solved challenge during signup).

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-05-16_at_3.07.42_PM

How to set up and validate locally

  1. Ensure that you have a working local CustomersDot installation with Zuora integration and zuora_cc_registration_validation_payment_page_id set to an active hosted payment page

  2. Start GDK simulating SaaS

    $ export GITLAB_SIMULATE_SAAS=1
    $ gdk start
  3. Enable FFs

    $ rails c
    > Feature.enable(:identity_verification)
    > Feature.enable(:identity_verification_phone_number)
    > Feature.enable(:identity_verification_credit_card)
    > Feature.enable(:identity_verification_arkose_challenge)
  4. Setup Telesign

    $ rails c
    > ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')

    Credentials are in 1Password under Telesign API Keys (use GITLAB - DEVELOPMENT)

  5. Setup Arkose

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", )
    > ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")

    Note: credentials are in 1Password under ArkoseLabs API keys (DEVELOPMENT)

  6. Go to http://localhost:3000/users/sign_up, fill in the signup form, (optionally) solve the Arkose challenge, and then click Register

    Click to expand Screenshot_2024-05-16_at_3.19.40_PM
  7. Set the new user's Arkose risk score to 'High'. This will require the user to verify their email, phone number, and credit card

    $ rails c
    > User.last.custom_attributes.find_by_key('arkose_risk_band').update(value: 'High')
  8. Go back to your browser and validate that email, phone number, and credit card are now required

    Click to expand Screenshot_2024-05-16_at_3.20.19_PM
  9. Go to http://localhost:3000/rails/letter_opener, get the sent email confirmation code, and verify the user's email

    Click to expand Screenshot_2024-05-16_at_3.20.01_PM

    Screenshot_2024-05-16_at_3.20.06_PM

    You can also just update the user's confirmed_at in Rails console

    $ rails c
    > User.last.update(confirmed_at: Time.now)
  10. Verify that an Arkose challenge is required before you are allowed to send a phone number verification code

    Click to expand Screenshot_2024-05-16_at_3.21.03_PM
  11. Go through phone number verification

  12. Verify that NO Arkose challenge is required before you are allowed to verify a credit card

    Click to expand Screenshot_2024-05-16_at_3.25.33_PM
Edited by Eugie Limpin

Merge request reports

Loading