Skip to content

Simplify code to determine required identity verification methods

Eugie Limpin requested to merge el-refactor-identity-verifiable into master

What does this MR do and why?

Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/435110.

Refactor IdentityVerifiable to make code to determine required identity verification methods for a user easier to follow.

This will also make it easier to update the code to return required identity verification methods for users that are already active (https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/629) like so,

Planned update 
diff --git a/ee/app/models/concerns/identity_verifiable.rb b/ee/app/models/concerns/identity_verifiable.rb
index f1560d501c64..1178b7fead69 100644
--- a/ee/app/models/concerns/identity_verifiable.rb
+++ b/ee/app/models/concerns/identity_verifiable.rb
@@ -17,6 +17,7 @@ module IdentityVerifiable
   HIGH_RISK_USER_METHODS = %w[email phone credit_card].freeze
   MEDIUM_RISK_USER_METHODS = %w[email phone].freeze
   LOW_RISK_USER_METHODS = %w[email].freeze
+  ACTIVE_USER_METHODS = %w[phone].freeze
 
   def identity_verification_enabled?
     return false unless ::Gitlab::CurrentSettings.email_confirmation_setting_hard?
@@ -70,13 +71,21 @@ def required_identity_verification_methods
   end
 
   def determine_required_methods
-    return IDENTITY_VERIFICATION_EXEMPT_METHODS if exempt_from_identity_verification?
+    unless active_user?
+      return IDENTITY_VERIFICATION_EXEMPT_METHODS if exempt_from_identity_verification?
+    end
+
     return PHONE_NUMBER_EXEMPT_METHODS if exempt_from_phone_number_verification?
     return ASSUMED_HIGH_RISK_USER_METHODS if assumed_high_risk? || affected_by_phone_verifications_limit?
-    return HIGH_RISK_USER_METHODS if high_risk?
-    return MEDIUM_RISK_USER_METHODS if medium_risk? || phone_number_verification_experiment_candidate?
 
-    LOW_RISK_USER_METHODS
+    if active_user?
+      ACTIVE_USER_METHODS
+    else
+      return HIGH_RISK_USER_METHODS if high_risk?
+      return MEDIUM_RISK_USER_METHODS if medium_risk? || phone_number_verification_experiment_candidate?
+
+      LOW_RISK_USER_METHODS
+    end
   end
 
   def verification_method_enabled?(method)
@@ -181,6 +190,10 @@ def verification_method_allowed?(method:)
 
   private
 
+  def active_user?
+    last_sign_in_at.present?
+  end
+
   def risk_profile
     @risk_profile ||= IdentityVerification::UserRiskProfile.new(self)
   end

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports