New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
LG-12873: Annotate reCAPTCHA assessments with MFA results #10522
Conversation
changelog: Internal, Spam Mitigation, Annotate reCAPTCHA assessments with MFA results
72aa333
to
2caded9
Compare
Maybe temporarily, clarifying best practices
This is ready for review now. I've also tested this against real reCAPTCHA Enterprise which revealed some necessary changes in c0ef243, but worked successfully afterward. Let me know if you'd like to test the real Enterprise and I can get you set up with it. |
app/services/analytics_events.rb
Outdated
# @param [String] reason Reason for annotating the assessment | ||
# @param [String] annotation Type of annotation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# @param [String] reason Reason for annotating the assessment | |
# @param [String] annotation Type of annotation | |
# @param ["INITIATED_TWO_FACTOR","PASSED_TWO_FACTOR"] reason Reason for annotating the assessment | |
# @param ["LEGITIMATE","FRAUDULENT"] annotation Type of annotation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've only implemented a handful we're currently using, but technically there could be as many as 15 reasons and 5 annotations, unsure how scalable that is to repeat them out here? Would be nice if we could somehow reference an external type similar to what can be done with exporting / importing types in TypeScript.
Maybe I'll just add the specific strings and we can sort out later if/when we add more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indirectly addressed through dcc31d1, though maybe Hash
could be a more specific type in the YARDoc with how it's embedded in existing events.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
now this event is not logged at all (or referenced by the other events), should we remove it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, we should. Good catch..
app/controllers/two_factor_authentication/otp_verification_controller.rb
Outdated
Show resolved
Hide resolved
otp_delivery_preference: otp_delivery_method( | ||
nil, | ||
@new_phone_form.phone, | ||
@new_phone_form.otp_delivery_preference, | ||
), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe it's time to refactor otp_delivery_method
? It's only used in this file, and the first argument is completely dropped anyways? Seems like a good use case for keyword args too IMO
Could also be a good follow-up option
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I did a light refactoring here since this method prompt_to_confirm_phone
was strangely parameterized despite being unnecessary to do so, making it difficult to extend. Maybe this method and otp_delivery_method
were reused previously, when there were separate controllers between account creation vs. dashboard phone creation.
There's a lot of this phone stuff I'd like to refactor (especially phone-specific stuff in TwoFactorAuthenticationController
), so probably save for a follow-up.
spec/controllers/two_factor_authentication/otp_verification_controller_spec.rb
Outdated
Show resolved
Hide resolved
See: #10522 (comment) Co-authored-by: Zach Margolis <zachary.margolis@gsa.gov>
As of dcc31d1, annotation details are now embedded in related event as property hash
馃帿 Ticket
LG-12873
馃洜 Summary of changes
Updates phone setup flow to annotate a reCAPTCHA assessment after the user initiates and completes phone setup.
Related resources:
馃摐 Testing Plan
Verify that you see events for annotating an assessment upon initiating and completing phone setup:
make run
andmake watch_events
running in parallel in two separate terminal processes+610491570006
an eventthat therecaptcha_assessment_annotated
Telephony: OTP sent
event includes anrecaptcha_annotation
with non-nullassessment_id
and areason
of'INITIATED_TWO_FACTOR'
an eventthat therecaptcha_assessment_annotated
Multi-factor authentication: Phone added
event includes anrecaptcha_annotation
with non-nullassessment_id
, areason
of'PASSED_TWO_FACTOR'
, and aannotation
of'LEGITIMATE'