Skip to content

Phone Verification: Send SMS to user

Hinam Mehra requested to merge 78-anti-abuse-send-phone-verification-sms into master

What does this MR do and why?

Part of the bigger epic https://gitlab.com/groups/gitlab-org/modelops/anti-abuse/-/epics/3 to ask users to verify their phone number if they are considered medium/high risk.

This MR integrates the front-end component InternationalPhoneInput created in !96529 (merged) with the TeleSign backend services added in !100494 (merged). As part of that it:

  1. Creates POST route users/identity_verification/send_phone_verification_code
  2. Creates method in controller which calls the ::PhoneVerification::Users::SendVerificationCodeService. This service assesses whether the request is valid first -- eg. not a high risk number like 911, not related to an already banned user, not rate limited. If it is, it will send an SMS to the phone number entered by the user.
  3. ApplicationRateLimiter is used to throttle the requests. Currently, it's set to a max of 10 attempts.
  4. Integrates this route with the front-end component InternationalPhoneInput

Screenshots or screen recordings

send-sms-3

How to set up and validate locally

  1. Configure application settings to let a user sign-up without admin confirmation, and to require an email confirmation to be sent to the user.
> ::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false, send_user_confirmation_email: true)
  1. Configure Arkose and TeleSign. They are both external services that we use. Arkose will tell us which risk band a user is on - low, medium or high. Phone Verification is only asked of users if they are in the medium/high band. TeleSign is used to send the verification code via SMS.
> Feature.enable(:arkose_labs_signup_challenge)
> ::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
> ::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
  1. Enable feature flags for identity verification
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_phone_number)

  1. Sign up for a new account. After, you should be redirected to the Identity Verification page (http://localhost:3000/users/identity_verification)

  2. Update the new user's risk band data to have 'Medium' value and refresh the identity verification page

> u = User.last
> risk_band = u.custom_attributes.by_key('arkose_risk_band').first
> risk_band.update(value: 'Medium')
  1. Validate that phone number verification step is shown
    📸

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/78

Edited by Hinam Mehra

Merge request reports