Skip challenge when previously solved only when feature flag is enabled
Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/747
What does this MR do and why?
Add a feature flag to prevent skipping of Arkose challenge requirement before phone number verification code send (or CC verification) if the user already solved one during signup.
When this feature flag is disabled, a user will always be required to solve an Arkose challenge each time they attempt to send a phone number verification code (or verify a credit card) regardless of whether they solved a challenge in the signup form or not.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
-
Start GDK simulating SaaS
$ export GITLAB_SIMULATE_SAAS=1 $ gdk start
-
Enable FFs
$ rails c > Feature.enable(:identity_verification) > Feature.enable(:identity_verification_phone_number) > Feature.enable(:identity_verification_arkose_challenge) > Feature.disable(:skip_arkose_challenge_when_previously_solved)
-
Set up application settings to work with Identity Verification
$ rails c > ApplicationSetting.first.update(email_confirmation_setting: 'hard', require_admin_approval_after_user_signup: false)
-
Setup Telesign
$ rails c > ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')
Credentials are in 1Password under Telesign API Keys (use
GITLAB - DEVELOPMENT
) -
Setup Arkose
> ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", ) > ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")
Note: credentials are in 1Password under
ArkoseLabs API keys (DEVELOPMENT)
-
Update
ee/app/helpers/ee/registrations_helper.rb
so that an Arkose challenge is shown and required before a user can be createddiff --git a/ee/app/helpers/ee/registrations_helper.rb b/ee/app/helpers/ee/registrations_helper.rb index d784a60b791cf..10b8a9486b3a3 100644 --- a/ee/app/helpers/ee/registrations_helper.rb +++ b/ee/app/helpers/ee/registrations_helper.rb @@ -51,7 +51,7 @@ def registration_objective_options def signup_arkose_data_exchange_payload use_case = Arkose::DataExchangePayload::USE_CASE_SIGN_UP show_challenge = - PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded? + PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded? || true Arkose::DataExchangePayload.new( request,
-
Go to http://localhost:3000/users/sign_up, fill in the signup form, solve the Arkose challenge, and then click
Register
-
Set the new user's Arkose risk score to
'Medium'
. This will require the user to verify their email, and phone number.$ rails c > User.last.custom_attributes.find_by_key('arkose_risk_band').update(value: 'Medium')
-
Update the user's
confirmed_at
in Rails console. This marks them as email-verified and move them on to phone number verification step$ rails c > User.last.update(confirmed_at: Time.now)
-
Verify that an Arkose challenge is shown on the phone number verification step