Add recaptcha to phone verification
What does this MR do and why?
- Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/543
- Related to an incident, https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17141
- In the previous MR, we showed the user an arkose captcha if they made more than 2 incorrect verification attempts while verifying their phone number.
- In this MR, we are trying to limit a DDoS on our phone verification endpoint. Hence, if the total number of requests exceed 16K in a day, we will show reCAPTCHA to all users during phone verification (irrespective of verification attempts) and stop showing Arkose.
- Having two captchas is confusing at the moment, so in a follow-up issue, https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/555 we will be consolidating them into one.
Screenshots or screen recordings
How to set up and validate locally
- Turn on feature flag
Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:soft_limit_daily_phone_verifications)
- Update application setting to turn on identity verification
ApplicationSetting.first.update(require_admin_approval_after_user_signup: false, email_confirmation_setting: "hard")
- Get credentials from 1Password to connect to our external services. They will be under
ArkoseLabs API keys (Development)
,Telesign API keys (Development)
andGoogle reCAPTCHA (Development)
ApplicationSetting.first.update(arkose_labs_public_api_key: XX, arkose_labs_private_api_key: XX)
ApplicationSetting.first.update(telesign_customer_xid: XX, telesign_api_key: XX)
ApplicationSetting.first.update(recaptcha_site_key: XX, recaptcha_private_key: XX)
- Sign-up as a new user
/users/sign_up
. You should see a page with contentHelp us keep GitLab secure
. - Turn on phone-verification for that user:
UserCustomAttribute.where(user: User.last, key: 'arkose_risk_band').update(value: 'MEDIUM')
User.last.update(confirmed_at: Time.now)
- To trigger reCAPTCHA, apply the following patch (in order to test this we need to reduce the threshold for the number of requests from 16K to 1):
diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb
index 5a57a14c4209..3a801c370e71 100644
--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -55,7 +55,7 @@ def rate_limits # rubocop:disable Metrics/AbcSize
phone_verification_challenge: { threshold: 2, interval: 1.day },
phone_verification_send_code: { threshold: 5, interval: 1.day },
phone_verification_verify_code: { threshold: 5, interval: 1.day },
- soft_phone_verification_transactions_limit: { threshold: 16_000, interval: 1.day },
+ soft_phone_verification_transactions_limit: { threshold: 1, interval: 1.day },
namespace_exists: { threshold: 20, interval: 1.minute },
update_namespace_name: { threshold: -> { application_settings.update_namespace_name_rate_limit }, interval: 1.hour },
fetch_google_ip_list: { threshold: 10, interval: 1.minute },
- And run the following command in the rails console twice:
Gitlab::ApplicationRateLimiter.throttled?(:soft_phone_verification_transactions_limit, scope: nil)
- Lastly, refresh the page. You should see a card for phone verification with reCAPTCHA.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Hinam Mehra