Add recaptcha to phone verification

What does this MR do and why?

• Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/543
• Related to an incident, https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17141
• In the previous MR, we showed the user an arkose captcha if they made more than 2 incorrect verification attempts while verifying their phone number.
• In this MR, we are trying to limit a DDoS on our phone verification endpoint. Hence, if the total number of requests exceed 16K in a day, we will show reCAPTCHA to all users during phone verification (irrespective of verification attempts) and stop showing Arkose.
• Having two captchas is confusing at the moment, so in a follow-up issue, https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/555 we will be consolidating them into one.

Screenshots or screen recordings

How to set up and validate locally

1. Turn on feature flag

Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:soft_limit_daily_phone_verifications)

2. Update application setting to turn on identity verification

ApplicationSetting.first.update(require_admin_approval_after_user_signup: false, email_confirmation_setting: "hard")

3. Get credentials from 1Password to connect to our external services. They will be under ArkoseLabs API keys (Development), Telesign API keys (Development) and Google reCAPTCHA (Development)

ApplicationSetting.first.update(arkose_labs_public_api_key: XX, arkose_labs_private_api_key: XX)
ApplicationSetting.first.update(telesign_customer_xid: XX, telesign_api_key: XX)
ApplicationSetting.first.update(recaptcha_site_key: XX, recaptcha_private_key: XX)

4. Sign-up as a new user /users/sign_up. You should see a page with content Help us keep GitLab secure.
5. Turn on phone-verification for that user:

UserCustomAttribute.where(user: User.last, key: 'arkose_risk_band').update(value: 'MEDIUM')
User.last.update(confirmed_at: Time.now)

6. To trigger reCAPTCHA, apply the following patch (in order to test this we need to reduce the threshold for the number of requests from 16K to 1):

diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb
index 5a57a14c4209..3a801c370e71 100644
--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -55,7 +55,7 @@ def rate_limits # rubocop:disable Metrics/AbcSize
           phone_verification_challenge: { threshold: 2, interval: 1.day },
           phone_verification_send_code: { threshold: 5, interval: 1.day },
           phone_verification_verify_code: { threshold: 5, interval: 1.day },
-          soft_phone_verification_transactions_limit: { threshold: 16_000, interval: 1.day },
+          soft_phone_verification_transactions_limit: { threshold: 1, interval: 1.day },
           namespace_exists: { threshold: 20, interval: 1.minute },
           update_namespace_name: { threshold: -> { application_settings.update_namespace_name_rate_limit }, interval: 1.hour },
           fetch_google_ip_list: { threshold: 10, interval: 1.minute },

7. And run the following command in the rails console twice:

Gitlab::ApplicationRateLimiter.throttled?(:soft_phone_verification_transactions_limit, scope: nil)

8. Lastly, refresh the page. You should see a card for phone verification with reCAPTCHA.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.