Skip to content

Add backend for Account Ownership Verification PIN feature

Michael Trainorrequested to merge
user-security-pin into master

What does this MR do and why?

Related to #233164

This merge request implements the backend API endpoints,services, and User model methods for the Account Ownership Verification PIN feature. It adds the ability for users to generate and retrieve a temporary security PIN, and for administrators to retrieve a user's PIN for verification purposes.

The Account Ownership Verification PIN feature is needed to enhance security during support interactions. It provides a secure method for verifying account ownership without relying on sensitive personal information.

The pin exists in Redis only for a limited time (currently 24h).

  1. Create Support PIN (POST /api/v4/user/support_pin):
sequenceDiagram
    participant User
    participant API
    participant CreateService
    participant Redis

    User->>API: POST /api/v4/user/security_pin
    API->>API: Authenticate User
    API->>CreateService: Execute
    CreateService->>CreateService: Generate PIN
    CreateService->>Redis: Store PIN with TTL
    Redis-->>CreateService: Confirm Storage
    CreateService-->>API: Return PIN and Expiry
    API-->>User: Return PIN and Expiry
  1. Retrieve User's Own Support PIN (GET /api/v4/user/support_pin)
sequenceDiagram
    participant User
    participant API
    participant RetrieveService
    participant Redis

    User->>API: GET /api/v4/user/security_pin
    API->>API: Authenticate User
    API->>RetrieveService: Execute
    RetrieveService->>Redis: Get PIN
    Redis-->>RetrieveService: Return PIN (if exists)
    RetrieveService-->>API: Return PIN and Expiry
    API-->>User: Return PIN and Expiry (or Not Found)
  1. Admin Retrieve User's Support PIN (GET /api/v4/users/:id/support_pin)
sequenceDiagram
    participant Admin
    participant API
    participant RetrieveService
    participant Redis

    Admin->>API: GET /api/v4/users/:id/support_pin
    API->>API: Authenticate Admin
    API->>API: Validate User ID
    API->>RetrieveService: Execute
    RetrieveService->>Redis: Get PIN for User ID
    Redis-->>RetrieveService: Return PIN (if exists)
    RetrieveService-->>API: Return PIN and Expiry
    API-->>Admin: Return PIN and Expiry (or Not Found)

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Create a Support PIN for the authenticate user: curl -X POST -H "PRIVATE-TOKEN: glpat-XXXXXXXXXXXXXXXXX" "https://gitlab.example.com/api/v4/user/support_pin"
  2. Retrieve the current authenticated user's Support PIN: curl -X GET -H "PRIVATE-TOKEN: glpat-XXXXXXXXXXXXXXXXX" "https://gitlab.example.com/api/v4/user/support_pin"
  3. As admin, retrieve a specific user's Support PIN: curl -X GET -H "PRIVATE-TOKEN: glpat-XXXXXXXXXXXXXXXXX" "https://gitlab.example.com/api/v4/users/123/support_pin"
Edited by Michael Trainor

Merge request reports