Files
gitlab-foss/doc/development/identity_verification.md
2025-05-30 00:20:13 +00:00

5.4 KiB

stage, group, info, title
stage group info title
Software Supply Chain Security Authorization Any user with at least the Maintainer role can merge updates to this content. For details, see https://docs.gitlab.com/development/development_processes/#development-guidelines-review. Identity verification development

For information on this feature that are not development-specific, see the feature documentation.

Logging

You can triage and debug issues raised by identity verification with the GitLab production logs.

View logs associated to a user and email verification

To view logs associated to the email stage for a user:

  • Query the GitLab production logs with the following KQL:

    json.controller:"RegistrationsIdentityVerificationController" AND json.username:replace_username_here
    

Valuable debugging information can be found in the json.action and json.location columns.

View logs associated to a user and phone verification

To view logs associated to the phone stage for a user:

  • Query the GitLab production logs with the following KQL:

    json.message: "IdentityVerification::Phone" AND json.username:replace_username_here
    

On rows where json.event is Failed Attempt, you can find valuable debugging information in the json.reason column such as:

Reason Description
invalid_phone_number Either there was a typo in the phone number, or the user used a VOIP number. GitLab does not allow users to sign up with non-mobile phone numbers.
invalid_code The user entered an incorrect verification code.
rate_limited The user had 10 or more failed attempts, so they were rate-limited for one hour.
related_to_banned_user The user tried a phone number already related to a banned user.

View Telesign SMS status update logs

To view Telesign status updates logs for SMS sent to a user, query the GitLab production logs with:

json.message: "IdentityVerification::Phone" AND json.event: "Telesign transaction status update" AND json.username:<username>

Status update logs include the following fields:

Field Description
telesign_status Delivery status of the SMS. See the Telesign documentation for possible status codes and their descriptions.
telesign_status_updated_on A timestamp indicating when the SMS delivery status was last updated.
telesign_errors Errors that occurred during delivery. See the Telesign documentation for possible error codes and their descriptions.

View logs associated to a user and credit card verification

To view logs associated to the credit card stage for a user:

  • Query the GitLab production logs with the following KQL:

    json.message: "IdentityVerification::CreditCard" AND json.username:replace_username_here
    

On rows where json.event is Failed Attempt, you can find valuable debugging information in the json.reason column such as:

Reason Description
rate_limited The user had 10 or more failed attempts, so they were rate-limited for one hour.
related_to_banned_user The user tried a credit card number already related to a banned user.

View logs associated with high-risk users

To view logs associated with the credit card stage for high-risk users:

  • Query the GitLab production logs with the following KQL:

    json.controller:"GitlabSubscriptions::SubscriptionsController" AND json.action:"payment_form" AND json.params.value:"cc_registration_validation"
    

Code walkthrough

For a walkthrough and high level explanation of the code, see Identity Verification - Code walkthrough.

QA Integration

For end-to-end production and staging tests to function properly, GitLab allows QA users to bypass Account email Verification when:

  • The User-Agent for the request matches the configured GITLAB_QA_USER_AGENT.
  • Disable email verification

Additional resources

The Anti-abuse team owns identity verification. You can join our channel on Slack: #g_anti-abuse.

For help with Telesign: