Skip to content

Handle arkose outage on sign-in

Hinam Mehra requested to merge anti-abuse/384-bypass-captcha-when-arkose-api-fails into master

What does this MR do and why?

  • Partially resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/384. This MR only handles arkose outage on sign-in.

  • Arkose is a third-party service we use to display captcha's on sign-in and sign-up.

  • Previously, if Arkose would fail to load, we would display the error message to the user and prevent sign-in. This was a degraded user-experience since we don't want users to be prevented from logging-in if there is an Arkose outage.

  • In this MR:

    • If there is an error loading Arkose, we will log the error, then check if Arkose's status API shows an outage. If there is an outage -> then let the user sign-in. If not, then display an error.
    • Reference: Arkose's troubleshooting docs

Screenshots or screen recordings

Before After (arkose has an outage) After (arkose is operational)
arkose-outage-before arkose-outage-after arkose-operational-after

How to set up and validate locally

Setting-up Arkose

  1. In rails console, enable the feature flag and configure Arkose (credentials can be found in 1Password)
> Feature.enable(:arkose_labs_login_challenge)
> ApplicationSetting.first.update(arkose_labs_public_api_key: "X", arkose_labs_private_api_key: "X")
  1. To trigger Arkose on sign-in, update a user's failed_attempt to > 3
> User.first.update(failed_attempts: 4)

Simulate Arkose Error

  1. Then try to enter your username on the users/sign_in page. You should see https://client-api.arkoselabs.com/v2/../api.js being loaded in the Network tab.
  2. Block the Arkose script:

  1. Refresh the page and try signing-in. You should see an error message saying Unable to verify the user..

  2. Simulate an arkose outage by applying the following patch:

diff --git a/ee/app/services/arkose/status_service.rb b/ee/app/services/arkose/status_service.rb
index 33f6e0fdaec6..0d5af086c2f3 100644
--- a/ee/app/services/arkose/status_service.rb
+++ b/ee/app/services/arkose/status_service.rb
@@ -7,7 +7,8 @@ class StatusService
 
     def self.execute
       response = Gitlab::HTTP.perform_request(Net::HTTP::Get, ARKOSE_STATUS_URL, {}).parsed_response
-      indicator = response.dig('status', 'indicator')
+      # indicator = response.dig('status', 'indicator')
+      indicator = 'critical'
 
       return ServiceResponse.success if indicator == ARKOSE_SUCCESS_INDICATOR
  1. Now try to sign-in again. You will see an error in the console, but it will let you sign-in.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hinam Mehra

Merge request reports