Skip to content

LG-14216: Implement configurable percent tested reCAPTCHA at sign-in#11148

Merged
aduth merged 22 commits intomainfrom
aduth-lg-14216-recaptcha-pct
Aug 30, 2024
Merged

LG-14216: Implement configurable percent tested reCAPTCHA at sign-in#11148
aduth merged 22 commits intomainfrom
aduth-lg-14216-recaptcha-pct

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Aug 26, 2024
edited
Loading

🎫 Ticket

LG-14216

🛠 Summary of changes

Implements support to run a reCAPTCHA verification at sign-in for a configurable percentage of attempts.

📜 Testing Plan

Verify you're not subjected to reCAPTCHA if percent tested configured to 0%:

  1. Add in config/application.yml: sign_in_recaptcha_percent_tested: 0
  2. Restart make run
  3. Run make watch_events in a separate terminal process
  4. Go to http://localhost:3000 in an Incognito/Private Browsing window
  5. Sign in
  6. In logged events (make watch_events), observe: captcha_validation_performed: false

Verify you're subjected to reCAPTCHA if percent tested configured to 100%:

  1. Add in config/application.yml: sign_in_recaptcha_percent_tested: 100
  2. Restart make run
  3. Run make watch_events in a separate terminal process
  4. Go to http://localhost:3000 in an Incognito/Private Browsing window
  5. Sign in
  6. In logged events (make watch_events), observe: captcha_validation_performed: true and ab_tests.recaptcha_sign_in_bucket, plus an event for "reCAPTCHA verify result received"

Verify that you're not selected for A/B test when signing in from a known device:

  1. Add in config/application.yml: sign_in_recaptcha_percent_tested: 100
  2. Restart make run
  3. Run make watch_events in a separate terminal process
  4. Go to http://localhost:3000 in a browser you've previously signed in with
  5. Sign in
  6. In logged events (make watch_events), observe: "Email and Password Authentication" event does not include ab_tests.recaptcha_sign_in value

Verify that A/B test bucket is included in event properties if subjected to reCAPTCHA, for the following events.

  • Email and Password Authentication
  • IdV: doc auth verify proofing results
  • reCAPTCHA verify result received
  • user_suspension_confirmed
  • User Suspension: Suspended

zachmargolis
zachmargolis reviewed Aug 27, 2024
View reviewed changes
zachmargolis
zachmargolis reviewed Aug 27, 2024
View reviewed changes
zachmargolis
zachmargolis reviewed Aug 27, 2024
View reviewed changes
@aduth aduth marked this pull request as ready for review August 29, 2024 14:55
@aduth aduth requested a review from a team August 29, 2024 14:56
kevinsmaster5
kevinsmaster5 approved these changes Aug 29, 2024
View reviewed changes
Copy link
Contributor

@kevinsmaster5 kevinsmaster5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Tested locally and behaves as expected.

aduth and others added 22 commits August 30, 2024 08:26
@aduth
LG-14216: Implement configurable percent tested reCAPTCHA at sign-in
f69cc71 
changelog: Upcoming Features, Fraud Prevent, Implement configurable percent tested reCAPTCHA at sign-in
@aduth
Add A/B testing concern to controller where used
e13d5bc
@aduth
Annotate reCAPTCHA result received event
4ab1e13
@aduth
Exclude from A/B test where captcha validation not performed
6a03c7b
@aduth
Determine exempt before captcha submission
ed53156 
Move contextual arguments to constructor
@aduth
Fix error unknown keywords
dbd5367
@aduth
Add specs for AbTest should_log respond_to include
b97767e
@aduth
Add specs for ab_test_bucket user keyword argument
4e4ffbe
@aduth
Update SignInRecaptchaForm specs
f95f6df
@aduth
Avoid return statement in block
1d6f8cb
@aduth
Document captcha_validation_performed
ae7b7c5
@aduth
Force reCAPTCHA performed in feature spec
cbff747
@aduth
Update sessions controller asserted logging expectations
7b57e3c
@aduth
Handle nil user, user_session
8bf82c4
@aduth @zachmargolis
Memoize user_from_params
cee6579 
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
@aduth @zachmargolis
Use Array#to_set to avoid extra indentation
3da3eb1 
See: #11148 (comment)
Co-Authored-By: Zach Margolis <zachmargolis@users.noreply.github.com>
@aduth
Reload A/B tests after stubbing bucket configuration
f210c96 
A/B test constants are defined before the stubs go into effect, so they'll use the default even if stubbed with something different. Reload A/B tests after stub goes into effect / is torn down to force configuration to be used.
@aduth
Reload A/B tests for enabled reCAPTCHA in sessions controlller
d8a16e8
@aduth
Stub controller ab_test_bucket
708408c
@aduth
Add specs for AbTests:: RECAPTCHA_SIGN_IN
5b1e99c
@aduth
Default to always test in development
c74d4be
@aduth
Replace user action events with application-facing
4799980
@aduth aduth force-pushed the aduth-lg-14216-recaptcha-pct branch from 9e03bf2 to 4799980 Compare August 30, 2024 12:31
@aduth aduth merged commit 833b9e3 into main Aug 30, 2024
@aduth aduth deleted the aduth-lg-14216-recaptcha-pct branch August 30, 2024 13:44
@jmdembe jmdembe mentioned this pull request Sep 3, 2024
Merged
@aduth aduth mentioned this pull request Sep 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevinsmaster5 kevinsmaster5 kevinsmaster5 approved these changes

+1 more reviewer

@zachmargolis zachmargolis zachmargolis left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aduth @zachmargolis @kevinsmaster5