Skip to content

User must solve Arkose challenge to send phone number verification code

Eugie Limpin requested to merge el-opt-in-iv-require-arkose-challenge into master

Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/656+.

Context

Currently, users go through identity verification (let's call this signup IV) as part of the signup process. Moving forward, we want to require users1 that have already started using Gitlab to go through the same identity verification process (let's call this active user IV) where they can verify a phone number/credit card in exchange for in-app benefits (e.g. ability to run pipelines, create more groups, etc.).

See https://gitlab.com/groups/gitlab-org/modelops/anti-abuse/-/epics/32+ for more info.

1 Limited to users that did not go through phone number and/or credit card verification during signup.

What does this MR do and why?

More context: when certain limits1 are exceeded, signup IV requires the user to solve an Arkose challenge before they can send a phone number verification code or verify a code they received.

This MR updates common Identity Verification components/modules to enable reuse of code required to show Arkose challenge to a user. Existing code is then reused to update active user IV (no changes to signup IV) such that it always requires users to solve an Arkose challenge before they can send a phone number verification code.

1 For example, when user exceeds daily phone number verification rate limit.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-04-22_at_12.45.14_PM

How to set up and validate locally

  1. Start GDK simulating SaaS

    $ export GITLAB_SIMULATE_SAAS=1
$ gdk start

  2. Enable FFs

    $ rails c
> Feature.enable(:opt_in_identity_verification)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification_credit_card)

  3. Setup Telesign

    $ rails c
> ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')

    Credentials are in 1Password under Telesign API Keys (use GITLAB - DEVELOPMENT)

  4. Setup Arkose

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", )
> ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")

    Note: credentials are in 1Password under ArkoseLabs API keys (DEVELOPMENT)

  5. Login with root user

  6. Go to http://localhost:3000/-/identity_verification

  7. Validate that Arkose challenge is shown and required before phone number verification code can be sent

Edited by Eugie Limpin

Merge request reports