Skip to content

Do not offer exemption when credit card is required

Ian Anderson requested to merge do-not-show-exemption-when-cc-is-required into master

What does this MR do and why?

closes: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/587

This MR removes the option to "verify with a phone number instead" when credit card validation is required.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before, the user would see an option to "verify with a phone number instead" even if verifying with a phone number was a required identity verification step. This MR changes the behavior to only present that option when credit card verification is not required.

Before After
image image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Configure SaaS mode in GDK but setting the environment variable GITLAB_SIMULATE_SAAS=1
  2. Configure the following settings. Development credentials for telesign and arkose are available in 1Password.
::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard')
::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false)
::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
  1. Enable the following feature flags.
Feature.enable(:arkose_labs_signup_challenge)
Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
  1. From the GDK home screen attempt to register as a new user. When prompted for email verification, enter the following in the rails console.
u = User.last
risk_band = u.custom_attributes.by_key('arkose_risk_band').first
risk_band.update(value: 'Medium')
u.confirm
  1. Refresh the page. Your email should now be confirmed and you should be prompted to validate your phone number. You should see an option to be able to verify with a credit card and be able to click that link to toggle between verifying with a credit card or a phone number.
  2. Assume high risk for the user
u.assume_high_risk!(reason: 'risky user')
  1. When the page is refreshed, you should see credit card and phone verification steps being required and no link to "verify with (phone number|credit card) instead".
Edited by Ian Anderson

Merge request reports