Add phone verification for low risk users experiment
What does this MR do and why?
Add phone verification for low risk users experiment.
When in the candidate group, low risk users need to verify their phone number in addition to their email address in order to signup.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/264
Experiment rollout issue: #415674
How to set up and validate locally
-
Enable identity verification and Arkose Labs on signup (the Arkose Labs public and private API keys can be found in the 1Password Engineering Vault entry named ArkoseLabs API keys > GITLAB - DEVELOPMENT - REGISTRATION FLOW)
Feature.enable(:identity_verification) Feature.enable(:identity_verification_phone_number) Feature.enable(:arkose_labs_signup_challenge) ApplicationSetting.current.update(email_confirmation_setting: 2, require_admin_approval_after_user_signup: false) ApplicationSetting.current.update(arkose_labs_public_api_key: ***, arkose_labs_private_api_key: ***, arkose_labs_namespace: 'client') -
Create a new account on http://localhost:3000/users/sign_up
-
Update the arkose risk score to
LowUser.last.custom_attributes.by_key(UserCustomAttribute::ARKOSE_RISK_BAND).update(value: 'Low') -
Refresh the page (
/users/identity_verification) and verify the user needs to verify only their email
-
Enable the candidate variant for the new user
include Gitlab::Experiment::Dsl Feature.enable(:phone_verification_for_low_risk_users, experiment(:phone_verification_for_low_risk_users, user: User.last)) -
Refresh the page (
/users/identity_verification) and verify the user needs to verify both phone number and email
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.