Skip to content

Skip Arkose challenge requirement if user already solved one

Eugie Limpin requested to merge el-skip-challenge-when-solved-on-signup into master

Implements <code data-sourcepos="1:14-1:74">Skip challenge requirement if user already solved a challenge</code> task of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/672+

Context

In Require Arkose challenge before send phone code... (!152335 - merged) we updated the Arkose challenge requirement during Identity Verification such that

  1. Users need to solve an Arkose challenge before they are allowed to send a phone number verification code or or verify a credit card
  2. Users that are required both phone number and credit card only need to solve an Arkose challenge to perform whichever verification method comes first

What does this MR do?

In this MR the challenge requirement is skipped if the user has previously solved a challenge. So,

  1. If a user was shown and solved an Arkose challenge during signup, they are not required to solve another challenge before they can perform phone number or credit card verification (whichever comes first)
  2. If a user was NOT shown an Arkose challenge during signup, they are required to solve a challenge before they can perform phone number or credit card verification (whichever comes first). If the user solved a challenge on their first phone number or credit card verification attempt, they are not required to solve another challenge on successive attempts.

This is achieved by setting arkose_challenge_solved session variable. As an effect, the user needs to solve an Arkose challenge the next time they perform phone number or credit card verification after their session expires.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-05-20_at_5.49.18_PM

How to set up and validate locally

  1. Start GDK simulating SaaS

    $ export GITLAB_SIMULATE_SAAS=1
$ gdk start

  2. Enable FFs

    $ rails c
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_phone_number)
> Feature.enable(:identity_verification_arkose_challenge)

  3. Setup Telesign

    $ rails c
> ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')

    Credentials are in 1Password under Telesign API Keys (use GITLAB - DEVELOPMENT)

  4. Setup Arkose

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", )
> ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")

    Note: credentials are in 1Password under ArkoseLabs API keys (DEVELOPMENT)

  5. Update ee/app/helpers/ee/registrations_helper.rb so that an Arkose challenge is shown and required before a user can be created

    diff --git a/ee/app/helpers/ee/registrations_helper.rb b/ee/app/helpers/ee/registrations_helper.rb
index d784a60b791cf..10b8a9486b3a3 100644
--- a/ee/app/helpers/ee/registrations_helper.rb
+++ b/ee/app/helpers/ee/registrations_helper.rb
@@ -51,7 +51,7 @@ def registration_objective_options
     def signup_arkose_data_exchange_payload
       use_case = Arkose::DataExchangePayload::USE_CASE_SIGN_UP
       show_challenge =
-        PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded?
+        PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded? || true
 
       Arkose::DataExchangePayload.new(
         request,

  6. Go to http://localhost:3000/users/sign_up, fill in the signup form, solve the Arkose challenge, and then click Register

    Click to expand Screen_Recording_2024-05-20_at_5.43.57_PM

  7. Set the new user's Arkose risk score to 'Medium'. This will require the user to verify their email, and phone number.

    $ rails c
> User.last.custom_attributes.find_by_key('arkose_risk_band').update(value: 'Medium')

  8. Go back to your browser, refresh, and then verify that email, and phone number are now required

    Click to expand Screenshot_2024-05-20_at_5.45.52_PM

  9. Update the user's confirmed_at in Rails console. This marks them as email-verified and move them on to phone number verification step

    $ rails c
> User.last.update(confirmed_at: Time.now)

  10. Refresh the page. Verify that an Arkose challenge is NOT required before you are allowed to send a phone number verification code

    Click to expand Screenshot_2024-05-20_at_5.46.33_PM
Edited by Eugie Limpin

Merge request reports