Skip to content

Soft limit daily phone verification transactions

Eugie Limpin requested to merge el-rate-limit-telesign-daily-transactions into master

What does this MR do and why?

  1. Partially resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/542+
  2. Related to incident 17141

When phone verification transactions (successfully sent SMS) exceeds the daily limit of 16_0001 new users are assumed high risk regardless of the Arkose risk band assigned to them. The order of verification methods required for these users will be 1. email 2. credit card 3. phone. All users with 'High' Arkose risk band (normally required to verify 1. email 2. phone 3. credit card) are also subject to this order of required verification methods until the rate limit is reset at the end of the current day (UTC).

1 Why this number?

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

  1. Enable the relevant feature flags

    > Feature.enable(:arkose_labs_signup_challenge)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification_credit_card)
> Feature.enable(:identity_verification)
> Feature.enable(:soft_limit_daily_phone_verifications)

  2. Configure application settings for Identity Verification

    > ApplicationSetting.first.update(email_confirmation_setting: 'hard')
> ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", require_admin_approval_after_user_signup: false)
> ApplicationSetting.first.update(telesign_customer_xid: 'XXX', telesign_api_key: 'YYY')

    Note: credentials are in 1Password under Telesign API keys (Development) and ArkoseLabs API keys (Development)

  3. Update the rate limit value to testing-friendly values

    # ee/lib/ee/gitlab/application_rate_limiter.rb

# soft_phone_verification_transactions_limit: { threshold: 16_000, interval: 1.day }
soft_phone_verification_transactions_limit: { threshold: 2, interval: 20.minutes }

  4. Restart GDK

  5. Visit http://localhost:3000/users/sign_up to register a new user

  6. Force user to have medium risk

    > User.last.custom_attributes.by_key('arkose_risk_band').first.update!(value: 'Medium')

  7. Verify the user's email

    > User.last.update(confirmed_at: Time.zone.now)
    Screencast for steps 5-7 Screen_Recording_2023-11-30_at_5.41.12_PM

  8. On the phone verification step, send a code to a valid phone number 3 times to exceed the limit of Telesign transactions

    Screencast

    Note: the rate limit key has been renamed to soft_phone_verification_transactions_limit.

    Screen_Recording_2023-11-30_at_5.58.10_PM

  9. Visit http://localhost:3000/users/sign_up again to register a new user

  10. Verify that the new user is required to complete email, credit card, and phone number verification in that exact order

    Screencast for steps 9-10 Screen_Recording_2023-11-30_at_6.01.01_PM

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports