Offer user to update email address when requiring email verification

Alex Buijsrequested to merge
offer-email-reset-for-email-verification into master

What does this MR do and why?

When the require_email_verification feature is turned on, users without 2FA enabled are required to verify their email before gaining access to the product after 3 or more failed login attempts or when signing in from an unknown IP address.

Because support got overwhelmed with requests from people who had lost access to the email address they used to sign up with, we now offer users to change their email address the first time they are required to verify their email.

Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/413

Screenshots or screen recordings

Screen_Recording_2023-07-27_at_10.58.24

How to set up and validate locally

  1. Enable the feature flag in Rails console 
    Feature.enable(:require_email_verification)
  2. Sign out
  3. Sign in 3 times with a wrong password
  4. Sign in with your correct password
  5. Click Update email
  6. Submit another email address
  7. Open http://localhost:3000/rails/letter_opener/ and verify you received 2 emails:
    • the Email Changed notification on your old address
    • the Verify your identity email on your new address
  8. Copy the code from the verification email
  9. Submit the code in the verification form
  10. Verify you signed in successfully and the email address has been changed
  11. Repeat step 2-4 and verify the Update email button isn't being shown

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ravi Kumar

Merge request reports