fraud protection: Only count unverified otp in countries per ip bucket #5682

fraud protection: Only count unverified otp in countries per ip bucket

Author: carmenlau

…plans/fraud-protection-implementation.md …on/01-fraud-protection-implementation.mddocs/plans/fraud-protection-implementation.md renamed to docs/plans/fraud-protection/01-fraud-protection-implementation.md docs/plans/fraud-protection-implementation.md renamed to docs/plans/fraud-protection/01-fraud-protection-implementation.md

@@ -0,0 +1,167 @@
+# Fraud Protection: Exclude Verified Countries from IP-Country Warning
+
+## Summary
+
+Adjust `SMS__PHONE_COUNTRIES__BY_IP__DAILY_THRESHOLD_EXCEEDED` so it counts only countries that have **no verified SMS OTP in the same 24h window**.
+
+If an IP has at least one verified OTP for a country during that window, that country is excluded from the distinct-country count. The threshold remains `3`.
+
+This is a behavior change only. No backward-compatibility work is required.
+
+## Runtime Change
+
+### Current behavior
+
+`pkg/lib/fraudprotection/leaky_bucket_store.go` currently tracks distinct phone countries per IP in the Redis ZSET keyed by:
+
+`app:{appID}:fraud_protection:ip_countries:{ip}`
+
+`RecordSMSOTPSent(...)` updates that ZSET and triggers `IPCountriesDaily` when the raw distinct-country count exceeds the fixed threshold.
+
+### New behavior
+
+Add a second Redis ZSET per IP to record countries that have at least one verified SMS OTP in the same 24h window:
+
+`app:{appID}:fraud_protection:ip_verified_countries:{ip}`
+
+The send-path warning becomes:
+
+1. Count distinct countries seen from the IP in the last 24h.
+2. Remove any country that appears in the verified-country ZSET for that IP.
+3. Trigger `SMS__PHONE_COUNTRIES__BY_IP__DAILY_THRESHOLD_EXCEEDED` only when the filtered count is `> 3`.
+
+### Interface Details
+
+#### `pkg/lib/fraudprotection/service.go`
+
+`LeakyBucketer` becomes:
+
+```go
+type LeakyBucketer interface {
+    RecordSMSOTPSent(ctx context.Context, ip, phoneCountry string, thresholds LeakyBucketThresholds) (LeakyBucketTriggered, LeakyBucketLevels, error)
+    RecordSMSOTPVerified(ctx context.Context, ip, phoneCountry string, thresholds LeakyBucketThresholds, count int) error
+    RecordSMSOTPVerifiedCountry(ctx context.Context, ip, phoneCountry string) error
+}
+```
+
+`Service.RecordSMSOTPVerified(ctx, phoneNumber)` keeps the current parse/write/drain flow, but now invokes the bucket store in this order:
+
+1. read `ip` from the request context and parse `phoneNumber` to get `phoneCountry`
+2. `Metrics.RecordVerified(ctx, ip, phoneCountry)`
+3. `LeakyBucket.RecordSMSOTPVerifiedCountry(ctx, ip, phoneCountry)`
+4. `RevertSMSOTPSent(ctx, phoneNumber, 1)`
+
+The verified-country update is a side effect of a successful SMS OTP consumption only. It is not part of the alt-auth revert path.
+
+This split matters because the lower-level `LeakyBucketStore.RecordSMSOTPVerified(...)` method is also used by `RevertSMSOTPSent(...)` to drain unverified OTPs that were sent during a flow but never consumed. If the same method also marked a country as verified, alt-auth cleanup would incorrectly promote unverified sends into the verified-country set.
+
+So the invariant is:
+
+- service-level `RecordSMSOTPVerified(...)` = actual verification event
+- store-level `RecordSMSOTPVerified(...)` = drain-only bookkeeping for verified and reverted counts
+- store-level `RecordSMSOTPVerifiedCountry(...)` = explicit marker for a real verified OTP
+
+#### `pkg/lib/fraudprotection/leaky_bucket_store.go`
+
+`leakyBucketScript` remains unchanged and continues to be used only for the four leaky buckets on the send path.
+
+`ipCountriesScript` remains the script that computes the IP-country warning on the send path. That is where the filtered distinct-country count is evaluated.
+
+The verified-country marker is implemented by `RecordSMSOTPVerifiedCountry(ctx, ip, phoneCountry)`, which writes to the IP-scoped verified-country ZSET. It can reuse the same 24h retention model as the send-path country ZSET, but it is intentionally a separate store method so the service can call it only for real OTP consumption, not for alt-auth cleanup.
+
+`RecordSMSOTPVerified(ctx, ip, phoneCountry, thresholds, count)` remains drain-only and is still used by `RevertSMSOTPSent(...)` for unverified OTP cleanup.
+
+The filtered IP-country count is computed in the send-path script, not in Go:
+
+```go
+res, err := conn.Eval(ctx, ipCountriesScript,
+    []string{s.ipCountriesKey(ip), s.ipVerifiedCountriesKey(ip)},
+    phoneCountry, now, ipCountriesThreshold, 2*bucketWindowDaily,
+).Slice()
+```
+
+`ipCountriesScript` is responsible for:
+
+1. `ZADD` the sent country into `ip_countries`
+2. prune expired entries from both `ip_countries` and `ip_verified_countries`
+3. `ZRANGE` both ZSETs and build a Lua lookup table for the verified countries
+4. count the distinct sent countries that are not present in the verified-country lookup table
+5. return `{filtered_count, triggered_int}`
+
+This keeps the send-path warning atomic with the country update and avoids a race between sent-country recording and verified-country exclusion.
+
+## File-Level Changes
+
+### `pkg/lib/fraudprotection/leaky_bucket_store.go`
+
+- Keep the existing `ip_countries` ZSET and the four leaky buckets unchanged.
+- Add a verified-country ZSET helper named `ipVerifiedCountriesKey(ip string) string`.
+- Add a new store method `RecordSMSOTPVerifiedCountry(ctx context.Context, ip, phoneCountry string) error`.
+- Keep `RecordSMSOTPVerified(...)` drain-only.
+- Update `RecordSMSOTPSent(...)` so the IP-country warning uses the filtered count described above.
+
+### `pkg/lib/fraudprotection/service.go`
+
+- Extend `LeakyBucketer` with the new verified-country recording method.
+- Update `Service.RecordSMSOTPVerified(...)` so the verified-OTP flow becomes:
+  1. parse the phone number
+  2. write the `sms_otp_verified` metric
+  3. call `RecordSMSOTPVerifiedCountry(...)`
+  4. call `RevertSMSOTPSent(..., 1)` to drain the leaky buckets through the existing path
+- Leave `CheckAndRecord(...)`, threshold computation, and warning mapping unchanged.
+
+### `docs/specs/fraud-protection.md`
+
+- Rewrite the `SMS__PHONE_COUNTRIES__BY_IP__DAILY_THRESHOLD_EXCEEDED` section to state that the warning counts only countries without a verified SMS OTP in the same 24h window.
+- Keep the threshold at `3`.
+
+## Test Plan
+
+### Unit tests
+
+#### `pkg/lib/fraudprotection/leaky_bucket_store_test.go`
+
+- Add coverage for the new verified-country key helper.
+- Add a case proving that a verified country is excluded from the IP-country count.
+- Add a case proving the verified-country marker respects the same 24h expiry behavior as the existing country set.
+- Keep the current regression that proves four unverified countries from one IP still trigger the warning.
+- Add a case proving `RecordSMSOTPVerifiedCountry(...)` is called only for actual verification, not for alt-auth cleanup.
+- Add a case proving `RevertSMSOTPSent(...)` still drains the buckets and does not mark verified countries.
+
+#### `pkg/lib/fraudprotection/service_test.go`
+
+- Extend the leaky-bucket stub with the new verified-country method.
+- Add a test that `RecordSMSOTPVerified(...)` records the verified-country marker and still drains the buckets.
+
+### E2E tests
+
+- Keep `e2e/tests/fraud_protection/sms_phone_countries_by_ip_daily.test.yaml` as the baseline regression for the unverified-country case.
+- Add a new e2e test under `e2e/tests/fraud_protection/` that:
+  - verifies one country first
+  - sends unverified OTPs to three other countries successfully
+  - blocks on the 4th unverified country
+  - proves the verified country does not contribute to the threshold
+
+## Assumptions
+
+- “In the period” means the existing 24h sliding window.
+- The verified-country marker is keyed by IP because the warning itself is IP-scoped.
+- Old Redis keys can expire naturally; no migration or backfill is needed.
+- No config schema, database schema, or generated code changes are required.
+
+## Implementation Order
+
+1. Add the verified-country Redis storage and filtered counting logic in `pkg/lib/fraudprotection/leaky_bucket_store.go`.
+2. Wire the new method through `pkg/lib/fraudprotection/service.go`.
+3. Update unit tests for store and service behavior.
+4. Update the fraud-protection spec text.
+5. Add the e2e regression test for the verified-country exclusion case.
+
+## Atomic Commits
+
+1. `fraud: exclude verified countries from SMS IP-country counting`
+   - Files: `pkg/lib/fraudprotection/leaky_bucket_store.go`, `pkg/lib/fraudprotection/service.go`, `pkg/lib/fraudprotection/leaky_bucket_store_test.go`, `pkg/lib/fraudprotection/service_test.go`
+   - Scope: storage, service wiring, and unit coverage.
+2. `doc,e2e: update SMS IP-country fraud protection semantics`
+   - Files: `docs/specs/fraud-protection.md`, `e2e/tests/fraud_protection/*.test.yaml`
+   - Scope: spec wording and end-to-end regression coverage.

docs/plans/fraud-protection/02-fraud-protection-verified-country-exclusion.md

@@ -104,6 +104,8 @@ Examples:
 #### SMS__PHONE_COUNTRIES__BY_IP__DAILY_THRESHOLD_EXCEEDED
 Check if the number of distinct countries of requested phone numbers from a single IP exceeds the threshold in 24 hours.
 
+Only countries with no verified SMS OTP from the same IP in the same 24h window are counted. If an IP has at least one verified SMS OTP for a country during that window, that country is excluded from the distinct-country count.
+
 The threshold is 3.
 
 
@@ -349,4 +351,3 @@ fraud_protection:
       hook:
         url: authgeardeno:///deno/script.ts
 ```
-

docs/specs/fraud-protection.md

@@ -0,0 +1,99 @@
+name: Fraud protection - SMS phone countries by IP daily excludes verified country
+authgear.yaml:
+  override: |
+    fraud_protection:
+      decision:
+        action: deny_if_any_warning
+steps:
+  # Flow 1 - SG number, then successfully verify it. SG should no longer count
+  # toward the IP-country threshold for the same 24h window.
+  - name: flow 1 - create (SG)
+    action: create
+    input: |
+      {"type": "signup", "name": "default"}
+  - name: flow 1 - identify phone (SG)
+    action: input
+    input: |
+      {"identification": "phone", "login_id": "+6591230001"}
+  - name: flow 1 - send sms (SG)
+    action: input
+    input: |
+      {"channel": "sms"}
+    output:
+      result: |
+        {"action": {"type": "verify"}}
+  - name: flow 1 - verify otp (SG)
+    action: input
+    input: |
+      {"code": "111111"}
+
+  # Flows 2-4 are three distinct unverified countries from the same IP. All should
+  # still be allowed because the verified SG country is excluded from the count.
+  - name: flow 2 - create (HK)
+    action: create
+    input: |
+      {"type": "signup", "name": "default"}
+  - name: flow 2 - identify phone (HK)
+    action: input
+    input: |
+      {"identification": "phone", "login_id": "+85291230001"}
+  - name: flow 2 - send sms (HK)
+    action: input
+    input: |
+      {"channel": "sms"}
+    output:
+      result: |
+        {"action": {"type": "verify"}}
+
+  - name: flow 3 - create (MY)
+    action: create
+    input: |
+      {"type": "signup", "name": "default"}
+  - name: flow 3 - identify phone (MY)
+    action: input
+    input: |
+      {"identification": "phone", "login_id": "+60123450001"}
+  - name: flow 3 - send sms (MY)
+    action: input
+    input: |
+      {"channel": "sms"}
+    output:
+      result: |
+        {"action": {"type": "verify"}}
+
+  - name: flow 4 - create (TH)
+    action: create
+    input: |
+      {"type": "signup", "name": "default"}
+  - name: flow 4 - identify phone (TH)
+    action: input
+    input: |
+      {"identification": "phone", "login_id": "+66812340001"}
+  - name: flow 4 - send sms (TH)
+    action: input
+    input: |
+      {"channel": "sms"}
+    output:
+      result: |
+        {"action": {"type": "verify"}}
+
+  # Flow 5 is the 4th unverified country from this IP, so it should be blocked.
+  - name: flow 5 - create (US)
+    action: create
+    input: |
+      {"type": "signup", "name": "default"}
+  - name: flow 5 - identify phone (US)
+    action: input
+    input: |
+      {"identification": "phone", "login_id": "+12125550001"}
+  - name: flow 5 - send sms (blocked)
+    action: input
+    input: |
+      {"channel": "sms"}
+    output:
+      error: |
+        {
+          "name": "TooManyRequest",
+          "reason": "BlockedByFraudProtection",
+          "code": 429
+        }

e2e/tests/fraud_protection/sms_phone_countries_by_ip_daily_excludes_verified_country.test.yaml

@@ -86,21 +86,42 @@ return {new_level, (new_level > threshold) and 1 or 0}
 
 // ipCountriesScript tracks distinct countries seen from a given IP in the past 24h
 // using a sorted set keyed by country code with the last-seen timestamp as the score.
-// KEYS[1] = sorted set key
+// KEYS[1] = sent-countries sorted set key
+// KEYS[2] = verified-countries sorted set key
 // ARGV[1] = alpha2 country code
 // ARGV[2] = now (unix timestamp)
 // ARGV[3] = threshold (fixed = 3)
 // ARGV[4] = ttl_seconds (2 * 86400)
-// Returns {count, triggered_int}.
+// Returns {filtered_count, triggered_int}.
 var ipCountriesScript = `
 local now    = tonumber(ARGV[2])
 local cutoff = now - 86400
 
+-- 1. Use ZADD to record a send event in sent-countries sorted set key
 redis.call('ZADD', KEYS[1], now, ARGV[1])
+-- 2. use ZREMRANGEBYSCORE to drop records older than cutoff in both sets before processing
 redis.call('ZREMRANGEBYSCORE', KEYS[1], '-inf', cutoff)
+redis.call('ZREMRANGEBYSCORE', KEYS[2], '-inf', cutoff)
+-- 3. Update the expiry of both set to ensure they are not cleaned up when we still need them
 redis.call('EXPIRE', KEYS[1], ARGV[4])
+redis.call('EXPIRE', KEYS[2], ARGV[4])
+
+-- 4. Derive counties without at least one verified otp
+local sent_countries = redis.call('ZRANGE', KEYS[1], 0, -1)
+local verified_countries = redis.call('ZRANGE', KEYS[2], 0, -1)
+local verified_lookup = {}
+
+for _, country in ipairs(verified_countries) do
+    verified_lookup[country] = true
+end
+
+local count = 0
+for _, country in ipairs(sent_countries) do
+    if not verified_lookup[country] then
+        count = count + 1
+    end
+end
 
-local count = redis.call('ZCARD', KEYS[1])
 return {count, (count > tonumber(ARGV[3])) and 1 or 0}
 `
 
@@ -170,10 +191,11 @@ func (s *LeakyBucketStore) RecordSMSOTPSent(ctx context.Context, ip, phoneCountr
 			return err
 		}
 
-		// Update ip_countries ZSET.
+		// Update ip_countries ZSET and exclude countries with a verified OTP in the same window.
 		ipCountriesKey := s.ipCountriesKey(ip)
+		ipVerifiedCountriesKey := s.ipVerifiedCountriesKey(ip)
 		res, err := conn.Eval(ctx, ipCountriesScript,
-			[]string{ipCountriesKey},
+			[]string{ipCountriesKey, ipVerifiedCountriesKey},
 			phoneCountry, now, ipCountriesThreshold, 2*bucketWindowDaily,
 		).Slice()
 		if err != nil {
@@ -225,10 +247,30 @@ func (s *LeakyBucketStore) RecordSMSOTPVerified(ctx context.Context, ip, phoneCo
 	})
 }
 
+func (s *LeakyBucketStore) RecordSMSOTPVerifiedCountry(ctx context.Context, ip, phoneCountry string) error {
+	now := float64(s.Clock.NowUTC().Unix())
+
+	return s.Redis.WithConnContext(ctx, func(ctx context.Context, conn redis.Redis_6_0_Cmdable) error {
+		return conn.Eval(ctx, `
+-- Update the last verified otp timestamp of the country code in the sorted set
+redis.call('ZADD', KEYS[1], ARGV[1], ARGV[2])
+redis.call('EXPIRE', KEYS[1], ARGV[3])
+return 1
+`,
+			[]string{s.ipVerifiedCountriesKey(ip)},
+			now, phoneCountry, 2*bucketWindowDaily,
+		).Err()
+	})
+}
+
 func (s *LeakyBucketStore) bucketKey(period int, dimension, value string) string {
 	return fmt.Sprintf("app:%s:fraud_protection:leaky_bucket:%d:%s:%s", string(s.AppID), period, dimension, value)
 }
 
 func (s *LeakyBucketStore) ipCountriesKey(ip string) string {
 	return fmt.Sprintf("app:%s:fraud_protection:ip_countries:%s", string(s.AppID), ip)
 }
+
+func (s *LeakyBucketStore) ipVerifiedCountriesKey(ip string) string {
+	return fmt.Sprintf("app:%s:fraud_protection:ip_verified_countries:%s", string(s.AppID), ip)
+}