Ban users who try to identify with a previously banned credit card
What does this MR do and why?
Ban users who try to identify with a previously banned credit card.
When signing up and verifying identity using a previously banned user’s credit card, ban the user and notify them.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/317
Screenshots or screen recordings
Before | After |
---|---|
Screen_Recording_2023-07-07_at_17.22.48 | Screen_Recording_2023-07-07_at_17.20.42 |
How to set up and validate locally
- Ensure that you have a local CustomersDot installation
- Set
ZUORA_CC_REGISTRATION_VALIDATION_PAYMENT_PAGE_ID
env var to Zuora hosted page ID8ad0965d7d37f5bb017d4c47897c4789
. This hosted page is configured to point to a local GDK instance running on http://localhost:3000. - Run GDK emulating SAAS and set the local customers portal URL
echo "export GITLAB_SIMULATE_SAAS=1" > env.runit echo "export CUSTOMER_PORTAL_URL=http://localhost:5000" > env.runit gdk restart rails-web
- Enable feature flags in Rails console
Feature.enable(:identity_verification) Feature.enable(:identity_verification_credit_card) ApplicationSetting.current.update(email_confirmation_setting: 2, require_admin_approval_after_user_signup: false)
- Create a banned user and a corresponding
Users::CreditCardValidation
in Rails console# Let's use the second user banned_user = User.find(2) banned_user.ban Users::CreditCardValidation.create(user: banned_user, credit_card_validated_at: 1.month.ago, expiration_date: 7.years.from_now.end_of_month, last_digits: 4242, holder_name: 'Chris McLovin', network: 'Visa')
Validate
- Create a new user via http://localhost:3000/users/sign_up
- After signing up you should see the identity verification page
- Assign a
High
ArkoseLabs risk score to the new user in Rails consoleUserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'High')
- Refresh the identity verification page. You should now see the credit card verification step
- Fill in and submit the form with the following values
Name on card: "Chris McLovin" Card number: 4242 4242 4242 4242 Expiration date: 04/2030 CVC: Any 3-digit number
- Validate that an error is shown, the submit button is disabled and refreshing the page redirects to the login page
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Alex Buijs