Skip to content

Log when a user is assigned an Arkose risk band

Eugie Limpin requested to merge el-log-user-assigned-arkose-risk-band-event into master

Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/780

What does this MR do and why?

We are currently logging every time Arkose session token verification succeeds (Arkose::Logger#log_successful_token_verification). However, session token verification happens every time a user is subjected to an Arkose challenge which can happen multiple times during signup and identity verification flows (e.g. before attempting a phone number / credit card verification or when phone number transactions hard limit is exceeded) so it is currently difficult to filter logs for 'user created with risk band=<{Low,Medium,High}>' events.

This MR introduces logging when a user is assigned an Arkose risk band.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

How to set up and validate locally

  1. Start GDK simulating SaaS

    $ export GITLAB_SIMULATE_SAAS=1
$ gdk start

  2. Enable FFs and update required settings

    $ rails c
> Feature.enable(:identity_verification)
> ApplicationSetting.first.update(email_confirmation_setting: 'hard', require_admin_approval_after_user_signup: false)

  3. Setup Arkose

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", )

    Note: credentials are in 1Password under ArkoseLabs API keys (DEVELOPMENT)

  4. Tail logs

    tail -f log/application_json.log

  5. Go to http://localhost:3000/users/sign_up, fill in the signup form, and then click Register

  6. Verify that a log similar to the following is recorded

    {
  "severity": "INFO",
  "time": "2024-06-19T07:34:51.624Z",
  "correlation_id": "01J0QPPXNN5T8G3EFQ8MKVCF5X",
  "meta.caller_id": "RegistrationsController#create",
  ...
  "message": "Arkose risk band assigned to user",
  "response": ...,
  "username": "jun24198",
  "email_domain": "ex.com",
  "arkose.session_id": "62417da578b235392.8872493304",
  "arkose.session_is_legit": false,
  ...
  "arkose.risk_band": "Medium",
  "arkose.risk_category": "FRD-FRM",
  "arkose.challenge_type": "visual",
  "arkose.country": "PH",
  "arkose.is_bot": false,
  "arkose.is_vpn": false,
  ...
}
Edited by Eugie Limpin

Merge request reports