LG-12873: Annotate reCAPTCHA assessments with MFA results

[aduth]

🎫 Ticket

LG-12873

🛠 Summary of changes

Updates phone setup flow to annotate a reCAPTCHA assessment after the user initiates and completes phone setup.

Related resources:

• https://cloud.google.com/recaptcha-enterprise/docs/annotate-assessment

📜 Testing Plan

Verify that you see events for annotating an assessment upon initiating and completing phone setup:

1. Have make run and make watch_events running in parallel in two separate terminal processes
2. Visit http://localhost:3000
3. Sign in or create an account
4. When possible, add a phone to your account (clicking "Add phone number" at the account dashboard if signing in, or choosing "Text or voice message" at the MFA selection screen during account creation)
5. Enter an international phone number, e.g. +610491570006
6. Click "Send code"
7. Observe an event recaptcha_assessment_annotated that the Telephony: OTP sent event includes an recaptcha_annotation with non-null assessment_id and a reason of 'INITIATED_TWO_FACTOR'
8. Click "Submit" to submit the one-time code
9. Observe an event recaptcha_assessment_annotated that the Multi-factor authentication: Phone added event includes an recaptcha_annotation with non-null assessment_id, a reason of 'PASSED_TWO_FACTOR', and a annotation of 'LEGITIMATE'

[aduth]

This is ready for review now. I've also tested this against real reCAPTCHA Enterprise which revealed some necessary changes in c0ef243, but worked successfully afterward. Let me know if you'd like to test the real Enterprise and I can get you set up with it.

[zachmargolis]

Suggested change

	# @param [String] reason Reason for annotating the assessment
	# @param [String] annotation Type of annotation
	# @param ["INITIATED_TWO_FACTOR","PASSED_TWO_FACTOR"] reason Reason for annotating the assessment
	# @param ["LEGITIMATE","FRAUDULENT"] annotation Type of annotation

[aduth]

I've only implemented a handful we're currently using, but technically there could be as many as 15 reasons and 5 annotations, unsure how scalable that is to repeat them out here? Would be nice if we could somehow reference an external type similar to what can be done with exporting / importing types in TypeScript.

Maybe I'll just add the specific strings and we can sort out later if/when we add more.

[aduth]

Indirectly addressed through dcc31d1, though maybe Hash could be a more specific type in the YARDoc with how it's embedded in existing events.

[zachmargolis]

now this event is not logged at all (or referenced by the other events), should we remove it?

[aduth]

Yep, we should. Good catch..

[zachmargolis]

maybe it's time to refactor otp_delivery_method? It's only used in this file, and the first argument is completely dropped anyways? Seems like a good use case for keyword args too IMO

Could also be a good follow-up option

[aduth]

Yeah I did a light refactoring here since this method prompt_to_confirm_phone was strangely parameterized despite being unnecessary to do so, making it difficult to extend. Maybe this method and otp_delivery_method were reused previously, when there were separate controllers between account creation vs. dashboard phone creation.

There's a lot of this phone stuff I'd like to refactor (especially phone-specific stuff in TwoFactorAuthenticationController), so probably save for a follow-up.