Add phone verification

components/gitpod-protocol/src/gitpod-service.ts

@@ -82,6 +82,9 @@ export interface GitpodServer extends JsonRpcServer<GitpodClient>, AdminServer,
     getLoggedInUser(): Promise<User>;
     getTerms(): Promise<Terms>;
     updateLoggedInUser(user: Partial<User>): Promise<User>;
+    needsVerification(): Promise<boolean>;
+    sendPhoneNumberVerificationToken(phoneNumber: string): Promise<void>;
+    verifyPhoneNumberVerificationToken(phoneNumber: string, token: string): Promise<boolean>;
     getAuthProviders(): Promise<AuthProviderInfo[]>;
     getOwnAuthProviders(): Promise<AuthProviderEntry[]>;
     updateOwnAuthProvider(params: GitpodServer.UpdateOwnAuthProviderParams): Promise<AuthProviderEntry>;
@@ -378,7 +381,7 @@ export const createServerMock = function <C extends GitpodClient, S extends Gitp
         get: (target: S, property: keyof S) => {
             const result = target[property];
             if (!result) {
-                throw new Error(`Method ${property} not implemented`);
+                throw new Error(`Method ${property.toString()} not implemented`);
             }
             return result;
         },

components/gitpod-protocol/src/messaging/error.ts

@@ -26,6 +26,9 @@ export namespace ErrorCodes {
     // 410 No User
     export const SETUP_REQUIRED = 410;
 
+    // 411 No User
+    export const NEEDS_VERIFICATION = 411;
+
     // 429 Too Many Requests
     export const TOO_MANY_REQUESTS = 429;
 

components/gitpod-protocol/src/protocol.ts

@@ -215,6 +215,8 @@ export interface ProfileDetails {
     companyName?: string;
     // the user's email
     emailAddress?: string;
+    // verified
+    verifiedPhoneNumber?: string;
 }
 
 export interface EmailNotificationSettings {

components/server/ee/src/container-module.ts

@@ -61,6 +61,7 @@ import { SnapshotService } from "./workspace/snapshot-service";
 import { BitbucketAppSupport } from "./bitbucket/bitbucket-app-support";
 import { UserCounter } from "./user/user-counter";
 import { BitbucketServerApp } from "./prebuilds/bitbucket-server-app";
+import { PhoneVerificationService } from "../../src/auth/phone-verification-service";
 
 export const productionEEContainerModule = new ContainerModule((bind, unbind, isBound, rebind) => {
     rebind(Server).to(ServerEE).inSingletonScope();
@@ -81,6 +82,7 @@ export const productionEEContainerModule = new ContainerModule((bind, unbind, is
     bind(BitbucketAppSupport).toSelf().inSingletonScope();
     bind(GitHubEnterpriseApp).toSelf().inSingletonScope();
     bind(BitbucketServerApp).toSelf().inSingletonScope();
+    bind(PhoneVerificationService).toSelf().inSingletonScope();
 
     bind(UserCounter).toSelf().inSingletonScope();
 

components/server/ee/src/user/eligibility-service.ts

@@ -23,10 +23,12 @@ import { AccountStatementProvider, CachedAccountStatement } from "./account-stat
 import { EMailDomainService } from "../auth/email-domain-service";
 import fetch from "node-fetch";
 import { Config } from "../../../src/config";
+import { PhoneVerificationService } from "../../../src/auth/phone-verification-service";
 
 export interface MayStartWorkspaceResult {
     hitParallelWorkspaceLimit?: HitParallelWorkspaceLimit;
     enoughCredits: boolean;
+    needsPhoneNumberVerification?: boolean;
 }
 
 export interface HitParallelWorkspaceLimit {
@@ -57,6 +59,7 @@ export class EligibilityService {
     @inject(AccountStatementProvider) protected readonly accountStatementProvider: AccountStatementProvider;
     @inject(TeamSubscriptionDB) protected readonly teamSubscriptionDb: TeamSubscriptionDB;
     @inject(TeamSubscription2DB) protected readonly teamSubscription2Db: TeamSubscription2DB;
+    @inject(PhoneVerificationService) protected readonly phoneVerificationService: PhoneVerificationService;
 
     /**
      * Whether the given user is recognized as a student within Gitpod
@@ -160,14 +163,16 @@ export class EligibilityService {
                 return undefined;
             }
         };
-        const [enoughCredits, hitParallelWorkspaceLimit] = await Promise.all([
+        const [enoughCredits, hitParallelWorkspaceLimit, needsPhoneNumberVerification] = await Promise.all([
             this.checkEnoughCreditForWorkspaceStart(user.id, date, runningInstances),
             hasHitParallelWorkspaceLimit(),
+            this.phoneVerificationService.needsVerification(user),
         ]);
 
         return {
             enoughCredits: !!enoughCredits,
             hitParallelWorkspaceLimit,
+            needsPhoneNumberVerification,
         };
     }
 

components/server/ee/src/workspace/gitpod-server-impl.ts

@@ -241,6 +241,9 @@ export class GitpodServerEEImpl extends GitpodServerImpl {
         await super.mayStartWorkspace(ctx, user, runningInstances);
 
         const result = await this.eligibilityService.mayStartWorkspace(user, new Date(), runningInstances);
+        if (result.needsPhoneNumberVerification) {
+            throw new ResponseError(ErrorCodes.NEEDS_VERIFICATION, `Please verify your account.`);
+        }
         if (!result.enoughCredits) {
             throw new ResponseError(
                 ErrorCodes.NOT_ENOUGH_CREDIT,

components/server/package.json

@@ -78,6 +78,7 @@
     "reflect-metadata": "^0.1.10",
     "stripe": "^9.0.0",
     "swot-js": "^1.0.3",
+    "twilio": "^3.78.0",
     "uuid": "^8.3.2",
     "vscode-ws-jsonrpc": "^0.2.0",
     "ws": "^7.4.6"

components/server/src/auth/phone-verification-service.ts

@@ -0,0 +1,61 @@
+/**
+ * Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License-AGPL.txt in the project root for license information.
+ */
+
+import { User } from "@gitpod/gitpod-protocol";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { inject, injectable, postConstruct } from "inversify";
+import { Config } from "../config";
+import { Twilio } from "twilio";
+import { ServiceContext } from "twilio/lib/rest/verify/v2/service";
+import { WorkspaceDB } from "@gitpod/gitpod-db/lib";
+
+@injectable()
+export class PhoneVerificationService {
+    @inject(Config) protected config: Config;
+    @inject(WorkspaceDB) protected workspaceDB: WorkspaceDB;
+
+    protected verifyService: ServiceContext;
+
+    @postConstruct()
+    protected initialize(): void {
+        if (this.config.phoneVerification) {
+            const client = new Twilio(
+                this.config.phoneVerification.accountSID,
+                this.config.phoneVerification.authToken,
+            );
+            this.verifyService = client.verify.v2.services(this.config.phoneVerification.serviceName);
+        }
+    }
+
+    public async needsVerification(user: User): Promise<boolean> {
+        if (!this.config.phoneVerification) {
+            return false;
+        }
+        if (!!user.additionalData?.profile?.verifiedPhoneNumber) {
+            return false;
+        }
+        return true;
+    }
+
+    public async sendVerificationToken(phoneNumber: string): Promise<void> {
+        if (!this.verifyService) {
+            throw new Error("No verification service configured.");
+        }
+        const verification = await this.verifyService.verifications.create({ to: phoneNumber, channel: "sms" });
+        log.info("Verification code sent", { phoneNumber, status: verification.status });
+    }
+
+    public async verifyVerificationToken(phoneNumber: string, oneTimePassword: string): Promise<boolean> {
+        if (!this.verifyService) {
+            throw new Error("No verification service configured.");
+        }
+        const verification_check = await this.verifyService.verificationChecks.create({
+            to: phoneNumber,
+            code: oneTimePassword,
+        });
+        return verification_check.status === "approved";
+    }
+}

components/server/src/auth/rate-limiter.ts

@@ -51,6 +51,9 @@ function getConfig(config: RateLimiterConfig): RateLimiterConfig {
         getLoggedInUser: { group: "default", points: 1 },
         getTerms: { group: "default", points: 1 },
         updateLoggedInUser: { group: "default", points: 1 },
+        needsVerification: { group: "default", points: 1 },
+        sendPhoneNumberVerificationToken: { group: "default", points: 1 },
+        verifyPhoneNumberVerificationToken: { group: "default", points: 1 },
         getAuthProviders: { group: "default", points: 1 },
         getOwnAuthProviders: { group: "default", points: 1 },
         updateOwnAuthProvider: { group: "default", points: 1 },

components/server/src/config.ts

@@ -178,6 +178,12 @@ export interface ConfigSerialized {
      * considered inactive.
      */
     inactivityPeriodForRepos?: number;
+
+    phoneVerification?: {
+        serviceName: string;
+        accountSID: string;
+        authToken: string;
+    };
 }
 
 export namespace ConfigFile {

components/server/src/workspace/gitpod-server-impl.ts

@@ -169,6 +169,7 @@ import { Currency } from "@gitpod/gitpod-protocol/lib/plans";
 import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
 import { BillableSession } from "@gitpod/gitpod-protocol/lib/usage";
 import { WorkspaceClusterImagebuilderClientProvider } from "./workspace-cluster-imagebuilder-client-provider";
+import { PhoneVerificationService } from "../auth/phone-verification-service";
 
 // shortcut
 export const traceWI = (ctx: TraceContext, wi: Omit<LogContext, "userId">) => TraceContext.setOWI(ctx, wi); // userId is already taken care of in WebsocketConnectionManager
@@ -237,6 +238,8 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
     @inject(IDEConfigService) protected readonly ideConfigService: IDEConfigService;
 
+    @inject(PhoneVerificationService) protected readonly phoneVerificationService: PhoneVerificationService;
+
     /** Id the uniquely identifies this server instance */
     public readonly uuid: string = uuidv4();
     public readonly clientMetadata: ClientMetadata;
@@ -457,6 +460,37 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
         return user;
     }
 
+    public async needsVerification(ctx: TraceContext): Promise<boolean> {
+        const user = this.checkUser("needsVerification");
+        return this.phoneVerificationService.needsVerification(user);
+    }
+
+    public async sendPhoneNumberVerificationToken(ctx: TraceContext, phoneNumber: string): Promise<void> {
+        this.checkUser("sendPhoneNumberVerificationToken");
+        return this.phoneVerificationService.sendVerificationToken(phoneNumber);
+    }
+
+    public async verifyPhoneNumberVerificationToken(
+        ctx: TraceContext,
+        phoneNumber: string,
+        token: string,
+    ): Promise<boolean> {
+        const user = this.checkUser("verifyPhoneNumberVerificationToken");
+        const checked = await this.phoneVerificationService.verifyVerificationToken(phoneNumber, token);
+        if (!checked) {
+            return false;
+        }
+        if (!user.additionalData) {
+            user.additionalData = {};
+        }
+        if (!user.additionalData?.profile) {
+            user.additionalData.profile = {};
+        }
+        user.additionalData.profile.verifiedPhoneNumber = phoneNumber;
+        await this.userDB.updateUserPartial(user);
+        return true;
+    }
+
     public async getClientRegion(ctx: TraceContext): Promise<string | undefined> {
         this.checkUser("getClientRegion");
         return this.clientHeaderFields?.clientRegion;