Skip to content

Ban users who try to identify with a previously banned credit card

Alex Buijs requested to merge ban-users-identifying-with-previously-banned-credit-card into master

What does this MR do and why?

Ban users who try to identify with a previously banned credit card.

When signing up and verifying identity using a previously banned user’s credit card, ban the user and notify them.

Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/317

Screenshots or screen recordings

Before After
Screen_Recording_2023-07-07_at_17.22.48 Screen_Recording_2023-07-07_at_17.20.42

How to set up and validate locally

  1. Ensure that you have a local CustomersDot installation
  2. Set ZUORA_CC_REGISTRATION_VALIDATION_PAYMENT_PAGE_ID env var to Zuora hosted page ID 8ad0965d7d37f5bb017d4c47897c4789. This hosted page is configured to point to a local GDK instance running on http://localhost:3000.
  3. Run GDK emulating SAAS and set the local customers portal URL 
    echo "export GITLAB_SIMULATE_SAAS=1" > env.runit
echo "export CUSTOMER_PORTAL_URL=http://localhost:5000" > env.runit
gdk restart rails-web
  4. Enable feature flags in Rails console 
    Feature.enable(:identity_verification)
Feature.enable(:identity_verification_credit_card)
ApplicationSetting.current.update(email_confirmation_setting: 2, require_admin_approval_after_user_signup: false)
  5. Create a banned user and a corresponding Users::CreditCardValidation in Rails console 
    # Let's use the second user
banned_user = User.find(2)
banned_user.ban
Users::CreditCardValidation.create(user: banned_user, credit_card_validated_at: 1.month.ago, expiration_date: 7.years.from_now.end_of_month, last_digits: 4242, holder_name: 'Chris McLovin', network: 'Visa')

Validate

  1. Create a new user via http://localhost:3000/users/sign_up
  2. After signing up you should see the identity verification page
    🖼 Screenshot_2023-04-18_at_4.48.31_PM
  3. Assign a High ArkoseLabs risk score to the new user in Rails console 
    UserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'High')
  4. Refresh the identity verification page. You should now see the credit card verification step
    🖼 Screenshot_2023-04-18_at_4.47.36_PM
  5. Fill in and submit the form with the following values 
    Name on card: "Chris McLovin"
Card number: 4242 4242 4242 4242
Expiration date: 04/2030
CVC: Any 3-digit number
  6. Validate that an error is shown, the submit button is disabled and refreshing the page redirects to the login page
    📼 Screen_Recording_2023-07-07_at_17.20.42

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Alex Buijs

Merge request reports