Force show Arkose challenge when phone verifications hard limit is hit
What does this MR do and why?
Resolves Add field in Data Exchange payload to force challenge when hard rate limit is exceeded task of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/529+.
This MR updates the signup flow such that when the threshold of hard_phone_verification_transactions_limit
rate limit (documentation) is exceeded we ask Arkose to always show a challenge the user has to pass before they can complete signup. This is done by adding interactive
field with value 'true' to the Data Exchange JSON payload sent to Arkose on signup (implemented in !139070 (merged)).
Screenshots or screen recordings
Screen_Recording_2024-01-18_at_9.57.29_AM
How to set up and validate locally
-
Enable the relevant feature flags
> Feature.enable(:arkose_labs_signup_challenge) > Feature.enable(:arkose_labs_signup_data_exchange)
-
Configure application settings
> ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", ) > ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")
Note: credentials are in 1Password under
ArkoseLabs API keys (DEVELOPMENT)
-
Simulate
hard_phone_verification_transactions_limit
rate limit exceeded scenario# ee/app/helpers/ee/registrations_helper.rb def arkose_labs_data_exchange_payload ... # always_show_challenge = # PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded? always_show_challenge = true Arkose::DataExchangePayload.new( request, use_case: use_case, disable_transparent_mode: always_show_challenge ).build end
-
Go to the signup page
-
Verify that the Arkose Labs challenge is always shown
Another way to verify is to check the logs:
-
In your terminal:
tail -f log/application_json.log
-
Go to the signup page
-
Fill-in the form, solve the challenge
-
Submit the signup form
-
Check the logs and validate that an entry is present with the following fields
{ "severity": "INFO", ... "message": "Arkose verify response", ... "arkose.custom_telltale_list": [ { "name": "gitlab-h-challengelist-customer-id-8-true", "weight": 0 } ], "arkose.data_exchange_blob_received": true, "arkose.data_exchange_blob_decrypted": true }
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.