Draft: Handle arkose outage on OAuth
What does this MR do and why?
- Resolves sub-task 3 of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/384. This MR only handles arkose outage on sign-up using OAuth. Follows up from !133405 (merged).
- Arkose is a third-party service we use to display a captcha when a user signs up.
- Previously, if Arkose would fail to load, we would display the error message to the user and prevent sign-up. This was a degraded user-experience since we don't want users to be prevented from signing-up if there is an Arkose outage.
- In this MR:
- If there is an error loading Arkose on the front-end during sign-up (OAuth), we will log the error, then check if Arkose's status API shows an outage. If Arkose's status API confirms that there is an outage -> only then we will let the user sign-up. If not, we will display an error message.
- Reference: Arkose's troubleshooting docs
Screenshots or screen recordings
| Context | Before | After |
|---|---|---|
| When there is no outage |  |
 |
| When there is an arkose outage | |
 |
How to set up and validate locally
Setting-up Arkose
- In rails console, enable the feature flag and configure Arkose (credentials can be found in 1Password)
> Feature.enable(:arkose_labs_signup_challenge)
> ApplicationSetting.first.update(arkose_labs_public_api_key: "X", arkose_labs_private_api_key: "X")
> ApplicationSetting.first.update(require_admin_approval_after_user_signup: false, email_confirmation_setting: "hard")Setting-up OAuth
- Create an OAuth app on Github. You will have to use a personal Github account.
- Add the credentials to
config/gitlab.yml
development:
<<: *base
omniauth:
allow_single_sign_on: true
block_auto_created_users: false
providers:
- { name: 'github',
app_id: '**',
app_secret: '**',
verify_ssl: false,
provider_ignores_state: true,
args: { scope: 'user:email' } }- Run
gdk restart
Simulate Arkose Error
Since there is no easy way of doing this, we will need to simulate an arkose outage on both the front-end & back-end.
- Go to the
/users/sign_uppage and open your Network tab. - Block the
https://client-api.arkoselabs.comdomain so the arkose JS script doesn't load on the client-side.
- Now, try signing-up using Github. You should see an error message saying
There was an error loading the user verification challenge ... - Simulate an arkose outage by applying the following patch:
diff --git a/ee/app/services/arkose/status_service.rb b/ee/app/services/arkose/status_service.rb
index aee9f73b7c6b..88e2bb121448 100644
--- a/ee/app/services/arkose/status_service.rb
+++ b/ee/app/services/arkose/status_service.rb
@@ -10,7 +10,7 @@ def execute
response = Gitlab::HTTP.get(ARKOSE_STATUS_URL)
if response.success?
- indicator = Gitlab::Json.parse(response.body).dig('status', 'indicator')
+ indicator = 'critical' #Gitlab::Json.parse(response.body).dig('status', 'indicator')
return success if ARKOSE_SUCCESS_INDICATOR.include?(indicator)- Now try to sign-up again. Since, arkose's API says that the service is down, it will let you sign-up and won't show you an error message.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Hinam Mehra