Draft: Refactor common reCAPTCHA logic to be usable from services
What does this MR do?
UPDATE - this MR should not be needed, almost all of its intended changes are no longer required after Refactor SpamActionService and its usage
NOTE: This MR depends on !51840 (merged), and is rebased against its branch, BRANCH: refactor-spam-action-service
Overview
Refactor common reCAPTCHA logic out of spammable_actions.rb to be usable from service layer.
Adds support which will be used in subsequent MRs to implement the reCAPTCHA workflow via GraphQL.
Also backfills missing unit tests from the modified concerns.
See #217722 (closed) for an issue with full context on all planned implementation MRs.
See !50559 (closed) for a spike/Proof of Concept showing a full working implementation of the new reCAPTCHA GraphQL support.
Details
Some of the current logic to support GraphQL is in spammable_actions.rb
, which is a concern specific to the REST/Controller layer.
This MR extracts that logic to a common sharable concern, and adds a return value which will be used to communicate necessary spam/recaptcha information to the calling services in the service layer.
Tasks
-
Backfill missing unit tests for spammable_actions.rb
-
Backfill missing unit tests for spam_action_service.rb
-
Add new app/services/concerns/spam_recaptcha_support.rb
concern -
Move the #ensure_spam_config_loaded!
method to the new concern -
Move the direct call to the recaptcha
gem's#verify_recaptcha
to the new concern -
Move the #render_recaptcha?
method to the new concern. -
Add support for handling the (currently unused) @recaptcha_response
tofilter_spam_check_params
-
Add a (currently unused) hash return value to SpamCheckMethods#spam_check
, which contains fields which will be necessary for the service-layer/GraphQL-based reCAPTCHA workflow. -
Move logic from SpamActionService
constructor toexecute
method, so that it can be more easily mocked viaexpect_next_instance_of
.
Exploratory Testing
See instructions for testing reCAPTCHA via GraphQL in Testing Notes section of issue: #217722 (closed)
UI
-
Issue create without recaptcha -
Issue create with recaptcha -
Issue update without recaptcha -
Issue update with recaptcha
REST API
-
Issue create without recaptcha -
Issue create with recaptcha (FAILS, currently unsupported) -
Issue update without recaptcha -
Issue update with recaptcha (FAILS, currently unsupported)
GraphQL API
-
Issue create without recaptcha -
Issue create with recaptcha (Not possible (?), never flagged as spam because service doesn't set request in params - asked for confirmation in Slack) -
Issue update without recaptcha -
Issue update with recaptcha (Not possible (?), never flagged as spam because service doesn't set request in params - asked for confirmation in Slack)
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry
- [-] Documentation (if required)
-
Code review guidelines - [-] Merge request performance guidelines
-
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Related Issues
- Relates: #217722 (closed)
- Relates: !50559 (closed)