Skip to content

Force show Arkose challenge when phone verifications hard limit is hit

Eugie Limpin requested to merge el-show-arkose-challenge-for-all-users into master

What does this MR do and why?

Resolves Add field in Data Exchange payload to force challenge when hard rate limit is exceeded task of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/529+.

This MR updates the signup flow such that when the threshold of hard_phone_verification_transactions_limit rate limit (documentation) is exceeded we ask Arkose to always show a challenge the user has to pass before they can complete signup. This is done by adding interactive field with value 'true' to the Data Exchange JSON payload sent to Arkose on signup (implemented in !139070 (merged)).

Screenshots or screen recordings

Screen_Recording_2024-01-18_at_9.57.29_AM

How to set up and validate locally

  1. Enable the relevant feature flags

    > Feature.enable(:arkose_labs_signup_challenge)
> Feature.enable(:arkose_labs_signup_data_exchange)

  2. Configure application settings

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", )
> ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")

    Note: credentials are in 1Password under ArkoseLabs API keys (DEVELOPMENT)

  3. Simulate hard_phone_verification_transactions_limit rate limit exceeded scenario

    # ee/app/helpers/ee/registrations_helper.rb
def arkose_labs_data_exchange_payload
  ...
  # always_show_challenge =
  #     PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded?
  always_show_challenge = true

  Arkose::DataExchangePayload.new(
    request,
    use_case: use_case,
    disable_transparent_mode: always_show_challenge
  ).build
end

  4. Go to the signup page

  5. Verify that the Arkose Labs challenge is always shown

Another way to verify is to check the logs:

  1. In your terminal: tail -f log/application_json.log

  2. Go to the signup page

  3. Fill-in the form, solve the challenge

  4. Submit the signup form

  5. Check the logs and validate that an entry is present with the following fields

    
{
  "severity": "INFO",
  ...
  "message": "Arkose verify response",
  ...
  "arkose.custom_telltale_list": [
    {
      "name": "gitlab-h-challengelist-customer-id-8-true",
      "weight": 0
    }
  ],
  "arkose.data_exchange_blob_received": true,
  "arkose.data_exchange_blob_decrypted": true
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports