Skip to content

Only redirect identity verifeid users for HTML requests

Ian Anderson requested to merge ia-credit-card-verification-redirect-bug into master

What does this MR do and why?

Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/725

This MR fixes a bug where a user is not re-directed to their previous location after verifying their identity. In order to determine where to re-direct the user we set the identity_verification_referer session variable and delete it when we perform the re-direct. There is a before action on the identity verification controllers that checks to make sure that a user is eligible for identity verification and re-directs back to where they came from if not. Unfortunately, there was an issue with credit card verification that caused the user to be re-directed back to the root path.

Credit card verification is integrated with customers-dot. When a user verifies their credit card the request is routed to customers-dot and a PUT request is sent back to the rails app to record the successful card verification. Unfortunately, this results in a condition where the user becomes identity-verified and when the javascript requests the verify_credit_card path it is re-directed to the referrer. This causes the referrer to be deleted in the session and the web app is then re-directed to the root path.

To fix this issue we only re-direct if the request is an HTML request. Otherwise, we return an empty JSON response with a 200 response code.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
broken-redirect fixed-redirect

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Note: In order to verify this locally your GDK needs to be configured to interact with customers-dot

  1. Ensure GDK is running in SaaS mode. 
    export GITLAB_SIMULATE_SAAS=1
  2. Update relevant application settings. Credentials are available in 1Password in the ArkoseLabs API keys vault. You should use the development credentials. 
    ::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard')
::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false)
::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: 'SECRET', arkose_labs_private_api_key: 'SECRET', arkose_labs_namespace: 'client')
::Gitlab::CurrentSettings..update(arkose_labs_data_exchange_key: 'SECRET')
::Gitlab::CurrentSettings.update(telesign_customer_xid: 'SECRET', telesign_api_key: 'SECRET')
  3. Enable the following feature flags. 
    Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
Feature.enable(:opt_in_identity_verification)
Feature.enable(:ci_requires_identity_verification_on_free_plan)
  4. With a new user create a project and go to the pipelines list page. You should see a banner that identity verification is required.
  5. Go through the identity verification flow, making sure to verify your identity with a credit card instead of a phone number.
  6. When the identity verification process is complete you should be redirected back to the pipelines list page.
Edited by Eugie Limpin

Merge request reports