Skip to content

Auto-swap phone number for CC for users from Telesign-blocked countries

Eugie Limpin requested to merge el-exempt-users-from-blocked-countries into master

What does this MR do and why?

Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/556.

Context

  1. Users required to verify their identity by providing a phone number have the option to provide credit card details instead.
    Swap phone number requirement for CC Screenshot_2024-01-31_at_3.52.15_PM
  2. Some countries are blocked (either by us or by Telesign themselves) in Telesign1 making users from these countries unable to receive the phone verification code sent via SMS

1 Our SMS provider

What this MR does

This MR implements auto-swapping of phone number verification requirement for credit card verification when a user uses a phone number from a Telesign-blocked country.

Why?

To notify the user (via info alert) that phone number verification is unavailable and automatically switch them to credit card verification instead. This should (hopefully) lessen cases where a user is not able to receive the requested phone number verification code via SMS and have no option but to contact support to find out why.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-01-26_at_5.07.11_PM

How to set up and validate locally

  1. Enable the relevant feature flags and configure required settings

    $ rails c
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification_credit_card)
> Feature.enable(:auto_request_phone_number_verification_exemption, type: :gitlab_com_derisk)
> ApplicationSetting.first.update(email_confirmation_setting: "hard", require_admin_approval_after_user_signup: false)

  2. Setup Telesign

    $ rails c
> ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')

    Credentials are in 1Password under Telesign API Keys (use GITLAB - DEVELOPMENT)

  3. Start GDK then use ngrok to expose your instance

    $ ngrok http http://localhost:3000

    You also need to add .ngrok-free.app to allowed_hosts

    # config/initializers/rails_host_authorization.rb
Rails.application.config.hosts += [Gitlab.config.gitlab.host, 'unix', 'host.docker.internal', 'docker.for.mac.localhost', '.ngrok-free.app']

  4. Copy the ngrok URL for your GDK instance

  5. Setup Telesign to send transaction callbacks to the ngrok URL (if you don't have an account for the portal please let me know so I can assist you)

    1. Login to https://teleportal.telesign.com/
    2. Select GitLab - Test Account
    3. Select SMS Verify product on the sidebar then select Overview
    4. Click Manage Settings on the upper right corner
    5. Go to Callbacks tab
    6. Add <your_ngrok_gdk_url>/-/phone_verification/telesign_callback to Transaction Callback URLs field
    Click to expand Screenshot_2024-01-31_at_4.02.08_PM

  6. Create a new user. After submitting the registration form you should see the Identity Verification page ("Help us keep GitLab secure")

  7. Confirm the user's email and set arkose_risk_band to Medium

    $ rails console
> User.last.update(confirmed_at: Time.zone.now)
> UserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'Medium')

  8. Refresh the page. You should now see the phone verification step

  9. Enter a phone number from a blocked country (e.g. 09201231234) then click Send code

  10. Validate that a callback is sent to your ngrok endpoint

    HTTP Requests                                                                                                                                                                                                       
-------------                                                                                                                                                                                                       
                                                                                                                                                                                                                 
POST /-/phone_verification/telesign_callback 200 OK

  11. Validate that "Phone number verification is unavailable at this time. Please verify with a credit card instead." info alert is displayed

  12. Validate that Step 2: Verify phone number replaced with Step 2: Verify a payment method

Edited by Eugie Limpin

Merge request reports