Only redirect identity verifeid users for HTML requests
What does this MR do and why?
Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/725
This MR fixes a bug where a user is not re-directed to their previous location after verifying their identity. In order to determine where to re-direct the user we set the identity_verification_referer
session variable and delete it when we perform the re-direct. There is a before action on the identity verification controllers that checks to make sure that a user is eligible for identity verification and re-directs back to where they came from if not. Unfortunately, there was an issue with credit card verification that caused the user to be re-directed back to the root path.
Credit card verification is integrated with customers-dot
. When a user verifies their credit card the request is routed to customers-dot and a PUT
request is sent back to the rails app to record the successful card verification. Unfortunately, this results in a condition where the user becomes identity-verified and when the javascript requests the verify_credit_card
path it is re-directed to the referrer. This causes the referrer to be deleted in the session and the web app is then re-directed to the root path.
To fix this issue we only re-direct if the request is an HTML request. Otherwise, we return an empty JSON response with a 200
response code.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
broken-redirect | fixed-redirect |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
Note: In order to verify this locally your GDK needs to be configured to interact with customers-dot
- Ensure GDK is running in SaaS mode.
export GITLAB_SIMULATE_SAAS=1
- Update relevant application settings. Credentials are available in 1Password in the
ArkoseLabs API keys
vault. You should use the development credentials.::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard') ::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false) ::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: 'SECRET', arkose_labs_private_api_key: 'SECRET', arkose_labs_namespace: 'client') ::Gitlab::CurrentSettings..update(arkose_labs_data_exchange_key: 'SECRET') ::Gitlab::CurrentSettings.update(telesign_customer_xid: 'SECRET', telesign_api_key: 'SECRET')
- Enable the following feature flags.
Feature.enable(:identity_verification_phone_number) Feature.enable(:identity_verification_credit_card) Feature.enable(:opt_in_identity_verification) Feature.enable(:ci_requires_identity_verification_on_free_plan)
- With a new user create a project and go to the pipelines list page. You should see a banner that identity verification is required.
- Go through the identity verification flow, making sure to verify your identity with a credit card instead of a phone number.
- When the identity verification process is complete you should be redirected back to the pipelines list page.