Skip to content

Send Data Exchange payload to ArkoseLabs during OAuth signup

Eugie Limpin requested to merge el-oauth-signup-arkose-data-exchange-payload into master

What does this MR do and why?

Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/611.

This MR updates the Vue application that initializes the ArkoseLabs challenge required for OAuth users during Identity Verification. The Vue application is updated to include Data Exchange payload during ArkoseLabs session initialization similar to what was done in !139070 (merged).

Data Exchange lets Arkose customers pass extra telemetry data ... between their servers and Arkose Labs servers. This happens when a new Arkose session is created. By augmenting the data Arkose Labs already collects with data that only our customers can collect, we can improve the Platform’s effectiveness.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-02-20_at_3.01.53_PM

How to set up and validate locally

  1. Enable the relevant feature flags

    > Feature.enable(:identity_verification)
> Feature.enable(:arkose_labs_signup_challenge)
> Feature.enable(:arkose_labs_signup_data_exchange)

  2. Configure application settings

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", )
> ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")
> ApplicationSetting.first.update(email_confirmation_setting: "hard", require_admin_approval_after_user_signup: false)

    Note: credentials are in 1Password under ArkoseLabs API keys (DEVELOPMENT)

  3. (Optional) Force Arkose to always show a challenge

    # ee/app/helpers/ee/registrations_helper.rb
 def arkose_labs_data_exchange_payload
   use_case = Arkose::DataExchangePayload::USE_CASE_SIGN_UP
   # show_challenge =
   #   PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded? # Remove this
   show_challenge = true # Add this

   Arkose::DataExchangePayload.new(
     request,
     use_case: use_case,
     require_challenge: show_challenge
   ).build
 end

  4. Monitor logs. In your terminal, tail -f log/application_json.log

  5. Create a test user using Rails console

    > user = FactoryBot.create(:user, :unconfirmed, email: 'a_unique_email@ex.com', username: 'a_unique_username', password: 'badpassword')
> FactoryBot.create(:identity, provider: 'google_oauth2', user: user)

  6. Login with the test user

  7. (Optional) Verify that you see the ArkoseLabs challenge page

  8. (Optional) Solve the puzzle

  9. Verify that you see the Identity Verification page where you are required to verify your email

  10. On the logs, search for "message":"Arkose verify response"

  11. On the same log entry, verify that "arkose.data_exchange_blob_received":true,"arkose.data_exchange_blob_decrypted":true is present

Edited by Eugie Limpin

Merge request reports