Skip to content

Enable phone/cc verification auto-swap for opt-in identity verification

Eugie Limpin requested to merge el-enable-phone-cc-auto-swap into el-optional-iv-send-verify-phone-code-actions

What does this MR do and why?

Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/629?work_item_iid=655.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-04-22_at_5.05.58_PM

How to set up and validate locally

  1. Start GDK with SaaS simulation

    $ export GITLAB_SIMULATE_SAAS=1
$ gdk start

  2. Enable the relevant feature flags and configure required settings

    $ rails c
> Feature.enable(:opt_in_identity_verification)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification_credit_card)
> Feature.enable(:auto_request_phone_number_verification_exemption, type: :gitlab_com_derisk)

  3. Setup Telesign

    $ rails c
> ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')

    Credentials are in 1Password under Telesign API Keys (use GITLAB - DEVELOPMENT)

  4. Update ee/lib/telesign/transaction_callback.rb to skip authentication of requests to /-/phone_verification/telesign_callback

    diff --git a/ee/lib/telesign/transaction_callback.rb b/ee/lib/telesign/transaction_callback.rb
index 679ef54a23770..843c276183b1d 100644
--- a/ee/lib/telesign/transaction_callback.rb
+++ b/ee/lib/telesign/transaction_callback.rb
@@ -14,6 +14,7 @@ def initialize(request, params)
     end
 
     def valid?
+      return true
       return false unless signature.present?
 
       # https://developer.telesign.com/enterprise/docs/authenticate-callbacks

  5. Login with root user

  6. Go to http://localhost:3000/-/identity_verification

  7. Send a code to a valid phone number

  8. Update the reference id of the created phone number validation record

    $ rails c
> User.first.phone_number_validation.update(telesign_reference_xid: '2557312299CC1304904080F4BE17BFB4')

  9. Send a test callback request

    $ curl -X POST http://localhost:3000/-/phone_verification/telesign_callback -H 'Content-Type: application/json' -d '{ "status": { "updated_on": "2016-07-08T20:52:46.417428Z", "code": 237, "description": "Error delivering SMS to handset (reason unknown)" }, "errors": {}, "reference_id": "2557312299CC1304904080F4BE17BFB4" }'

  10. Validate that "Phone number verification is unavailable at this time. Please verify with a credit card instead." info alert is displayed

  11. Validate that Step 2: Verify phone number replaced with Step 2: Verify a payment method

Edited by Eugie Limpin

Merge request reports