Skip to content

Redirect to successful verification page after completed steps

Alex Buijs requested to merge redirect-to-successful-verification-page-after-completed-steps into master

What does this MR do and why?

Identity Verification consists of 3 parts: email, phone and credit card verification on signup, based on a risk score. Each verification type is behind it's own feature flag.

While the steps have a fixed order, this MR makes it possible for each step to be the final step.

For example, when identity verification is enabled, but phone number verification for some reason is not, and a user gets a medium risk score, the user needs to verify only their email address to finish verification. When we now turn on phone number verification again, and the user logs out and back in again, they are being redirected to the verification page with email verification shown as completed at the top and when they finish phone verification, they are signed in properly.

Changes in this MR:

  • Always redirect to successful verified page and sign in when completing the last step
  • Show completed verification methods at the top of the wizard
  • When email verification is the only verification method, de-duplicate the title
  • When email verification is not the only verification method, do not show borders
  • Set autocomplete attribute of email and phone verification to one-time-code instead of off

Screenshots

before after
standalone email verification Screenshot_2023-02-08_at_23.02.04 Screenshot_2023-02-08_at_22.52.50
multi method verification with email not completed Screenshot_2023-02-08_at_23.04.17 Screenshot_2023-02-08_at_22.53.38
multi method verification with email completed Screenshot_2023-02-08_at_23.19.27 Screenshot_2023-02-08_at_23.20.18

How to set up and validate locally

  1. Make sure email verification is turned on 
    ApplicationSetting.current.update(email_confirmation_setting: 2)
Feature.disable(:soft_email_confirmation)
  2. Enable identity verification and Arkose Labs on signup (the Arkose Labs public and private API keys can be found in the 1Password Engineering Vault entry named ArkoseLabs API keys > GITLAB - DEVELOPMENT - REGISTRATION FLOW) 
    Feature.enable(:identity_verification)
Feature.enable(:arkose_labs_signup_challenge)
ApplicationSetting.current.update(require_admin_approval_after_user_signup: false)
ApplicationSetting.current.update(arkose_labs_public_api_key: ***, arkose_labs_private_api_key: ***, arkose_labs_namespace: 'client')
  3. Create a new account on http://localhost:3000/users/sign_up
  4. Update the arkose risk score to Medium 
    UserCustomAttribute.by_key('arkose_risk_band').last.update(value: 'Medium')
  5. Fill in the code from the email (check http://localhost:3000/rails/letter_opener)
  6. Complete registration
  7. Sign out
  8. Enable phone verification 
    Feature.enable(:identity_verification_phone_number)
  9. Sign in with the verified account
  10. Verify the page is similar to the screen shot above (multi method verification with email not completed - after)

Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/137

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Alex Buijs

Merge request reports