Skip to content

Draft: Callout/notify detected compromised passwords in SaaS

Ruby Nealonrequested to merge
rubynealon/notify-breached-passwords into master

What does this MR do and why?

Set a persistent callout in the web UI and send an email notification when a user is detected at login as having a password previously included in a data breach on GitLab.com.

References

#535207

Screenshots or screen recordings

Copy here is subject to change pending approval

Callout:

Screenshot_2025-04-19_at_16.34.12

Email:

Screenshot_2025-05-02_at_13.21.06

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:notify_breached_passwords)
  2. Make sure your GDK is EE and simulating SaaS/GitLab.com
  3. Go to the login page
  4. Copy the session ID and CSRF token
  5. Use below curl command replacing session, CSRF token, username and password to simulate the presence of the header 
    curl 'http://gdk.test:3000/users/sign_in' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Cache-Control: max-age=0' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -b 'preferred_language=en; _gitlab_session=SESSIONCOOKIEHERE; perf_bar_enabled=true' \
  -H 'Exposed-Credential-Check: 1' \
  -H 'Origin: http://gdk.test:3000' \
  -H 'Referer: http://gdk.test:3000/users/sign_in' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36' \
  --data-raw 'authenticity_token=CSRFTOKENHERE&user%5Blogin%5D=USERNAMEHERE&user%5Bpassword%5D=PASSWORDHERE' \
  --insecure
  6. Sign in again in the browser and observe the callout present on the dashboard
  7. Check the email that is sent using letter opener (/rails/letter_opener)
  8. Follow the callout button to change your password
  9. Sign in again and observe the callout is no longer present

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ruby Nealon

Merge request reports