Skip to content

Refactor spam/recaptcha mutations/services for better captcha support

Chad Woolley requested to merge refactor-spammable-recaptcha-mutations into master

What does this MR do?

NOTE: This MR depends on !51840 (merged), and is rebased against its branch, BRANCH: refactor-spam-action-service

Overview

Refactor spam and recaptcha-related mutations and services to better support future reCAPTCHA support.

Adds support which will be used in subsequent MRs to implement the reCAPTCHA workflow via GraphQL, and other related refactoring.

See Tasks section for details.

See #217722 (closed) for an issue with full context on all planned implementation MRs.

See !50559 (closed) for a spike/Proof of Concept showing a full working implementation of the new reCAPTCHA GraphQL support.

Tasks

  • Move the render_recaptcha? method to the Spammable concern, so it can be used from both the controllers and GraphQL mutations.
  • Refactor logic and method naming in mutation to make it explicit that the #resolve method's args parameter is being mutated before being passed to the service layer as params, and return nil to make it explicit that the method's only purpose is to mutate their argument(s) instead of providing a return value.
  • Introduce ServiceCompatibility concern, to DRY up and abstract mutation-layer concerns related to processing graphql mutation field params to be compatible with those expected by the service layer
  • Rename SpammableMutationFields concern to CanMutateSpammable to be more consistently named with other concerns
  • Move and refactor the snippet_spam feature flag to be in the service layer.
    • Why? In order to have the mutation layer be less coupled to the implementation details of spam checking. Specifically, we are decoupling from the fact that the absence of a request object currently disables spam checking. This is important, because there is a possibility that we may allow spam checking in the future even if there is a request. See this thread for more details.

Exploratory Testing

NOTE: Ensure the snippet_spam feature flag is turned OFF - that feature is not yet fully implemented.

See instructions for testing reCAPTCHA in Testing Notes section of issue: #217722 (closed)

(note: for this MR, these were exploratory tested as part of downstream MRs)

UI

  • Issue create without akismet+recaptcha
  • Issue create with akismet+recaptcha
  • Issue update without akismet+recaptcha
  • Issue update with akismet+recaptcha
  • Snippet create without akismet+recaptcha
  • [-] Snippet create with rakismet+recaptcha (currently unsupported)
  • Snippet update without akismet+recaptcha
  • [-] Snippet update with akismet+recaptcha (currently unsupported)

REST API

  • Issue create without akismet+recaptcha
  • [-] Issue create with akismet+recaptcha (currently unsupported)
  • Issue update without rakismet+ecaptcha
  • [-] Issue update with akismet+recaptcha (currently unsupported)
  • Snippet create without akismet+recaptcha
  • [-] Snippet create with akismet+recaptcha (currently unsupported)
  • Snippet update without akismet+recaptcha
  • [-] Snippet update with akismet+recaptcha (currently unsupported)

GraphQL API

  • Issue create without akismet+recaptcha
  • [-] Issue create with akismet+recaptcha (Not possible (?), never flagged as spam because service doesn't set request in params - asked for confirmation in Slack)
  • Issue update without akismet+recaptcha
  • [-] Issue update with akismet+recaptcha (Not possible (?), never flagged as spam because service doesn't set request in params - asked for confirmation in Slack)
  • Snippet create without akismet+recaptcha
  • [-] Snippet create with akismet+recaptcha (currently unsupported)
  • Snippet update without rakismet+recaptcha
  • [-] Snippet update with akismet+recaptcha (currently unsupported)

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team

Related Issues

Edited by Chad Woolley

Merge request reports

Loading