Offer user to update email address when requiring email verification
What does this MR do and why?
When the require_email_verification
feature is turned on, users without 2FA enabled are required to verify their email before gaining access to the product after 3 or more failed login attempts or when signing in from an unknown IP address.
Because support got overwhelmed with requests from people who had lost access to the email address they used to sign up with, we now offer users to change their email address the first time they are required to verify their email.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/413
Screenshots or screen recordings
Screen_Recording_2023-07-27_at_10.58.24
How to set up and validate locally
- Enable the feature flag in Rails console
Feature.enable(:require_email_verification)
- Sign out
- Sign in 3 times with a wrong password
- Sign in with your correct password
- Click
Update email
- Submit another email address
- Open http://localhost:3000/rails/letter_opener/ and verify you received 2 emails:
- the
Email Changed
notification on your old address - the
Verify your identity
email on your new address
- the
- Copy the code from the verification email
- Submit the code in the verification form
- Verify you signed in successfully and the email address has been changed
- Repeat step 2-4 and verify the
Update email
button isn't being shown
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Ravi Kumar