Skip to content

Add increasing wait time between phone verification code sends

Eugie Limpin requested to merge el-add-phone-verification-endpoints-delay into master

What does this MR do and why?

Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/539+

Add increasing wait time between subsequent phone number verification code SMS sends after the first one.

Why?

See https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/539.

Database changes

  • sms_sent_at (smallint) and sms_send_count (datetime_with_timezone) columns are added to users_phone_number_validations table
  • No new or modified queries

Screenshots or screen recordings

SMS send number
1 Screen_Recording_2023-11-28_at_5.37.11_PM
2 Screen_Recording_2023-11-28_at_5.38.43_PM
3 Screen_Recording_2023-11-28_at_5.41.42_PM
4 Screen_Recording_2023-11-28_at_5.46.48_PM
5 (rate limited) Screen_Recording_2023-11-28_at_5.56.53_PM

How to set up and validate locally

  1. Enable the relevant feature flags

    > Feature.enable(:arkose_labs_signup_challenge)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification)
> Feature.enable(:sms_send_wait_time)

  2. Configure application settings for Identity Verification

    > ApplicationSetting.first.update(email_confirmation_setting: 'hard')
> ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", require_admin_approval_after_user_signup: false)
> ApplicationSetting.first.update(telesign_customer_xid: 'XXX', telesign_api_key: 'YYY')

    Note: credentials are in 1Password under Telesign API keys (Development) and ArkoseLabs API keys (Development)

  3. Register a new user

  4. Force user to have medium risk

    > User.last.custom_attributes.by_key('arkose_risk_band').first.update!(value: 'Medium')

  5. Verify the user's email

    > User.last.update(confirmed_at: Time.zone.now)

  6. On the phone verification step, send a code to a valid phone number

  7. Verify that resend links and buttons are disabled and displays a 1 minute wait time

  8. Wait for the wait time to expire then send another code

  9. Verify that resend links and buttons are disabled and displays the appropriate wait time (3 minutes, 5 minutes, 10 minutes, rate limited). See the demo videos above.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports