Skip to content

Phone Verification: Verify Code

Hinam Mehra requested to merge 79-anti-abuse-verify-code into master

What does this MR do and why?

Part of the bigger epic https://gitlab.com/groups/gitlab-org/modelops/anti-abuse/-/epics/3 to ask users to verify their phone number if they are considered medium/high risk.

This MR introduces the VerifyPhoneVerificationCode component along with the PhoneVerification::Users::VerifyCodeService which completes the entire phone verification feature.

  1. Creates POST route users/identity_verification/verify_phone_verification_code
  2. Creates method in controller which calls the ::PhoneVerification::Users::VerifyCodeService. This service talks to our external provider Telesign to verify the code sent to the user.
  3. ApplicationRateLimiter is used to throttle the requests. Currently, it's set to a max of 10 attempts.
  4. Integrates this route with the front-end component

Screenshots or screen recordings

verify

How to set up and validate locally

  1. Configure application settings to let a user sign-up without admin confirmation, and to require an email confirmation to be sent to the user.
> ::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false, send_user_confirmation_email: true)
  1. Configure Arkose and TeleSign. Both of their credentials are in 1Password. Arkose will tell us which risk band a user is on - low, medium or high. Phone Verification is only asked of users if they are in the medium/high band. Telesign is used to send the verification code via SMS.
> Feature.enable(:arkose_labs_signup_challenge)
> ::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
> ::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
  1. Enable feature flags for identity verification
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_phone_number)
  1. Sign up for a new account. After, you should be redirected to the Identity Verification page (http://localhost:3000/users/identity_verification)
  2. Update the new user's risk band data to have 'Medium' value and refresh the identity verification page
> u = User.last
> risk_band = u.custom_attributes.by_key('arkose_risk_band').first
> risk_band.update(value: 'Medium')

  1. Validate that phone number verification step is shown

    📸

  2. Enter in your phone number to verify it. The phone verification step should be marked as complete.

    📸

  3. If you'd like to re-test the flow, you can reset it deleting the record

>  ::Users::PhoneNumberValidation.last.delete
OR 
> :Users::PhoneNumberValidation.last.update(validated_at: nil)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/79

Edited by Hinam Mehra

Merge request reports