Checklist for MFA requirement release

[jenshenny]

This issue tracks what should be completed for MFA enforcement on Aug 15
RFC Phase 3

Required but should be merged before release

• Redirect users to configure MFA on UI Redirect MFA-required users away from authenticated endpoints (UI) #3153
• Modify mailer to send to affected users Mailer: Email to announce MFA is required for maintainers of gems with 180M+ downloads #3171

Deployed day of

• Block privileged actions on CLI Block push, yank, a/r owners, gem signin if user requires MFA and has it disabled or at a weak level. #3155
• Remove mfa_required cookie for the UI MFA required (Phase 3) remove feature flag cookie #3170
• Blog post outlining these changes Add MFA enforcement on popular gems blog post rubygems.github.io#121
• Run rake task to send emails to affected users

Enhancements (not required for release)

• Replace MFA device to prevent users to disable MFA MFA Device Replacement Flow #3142

[jenshenny]

@bettymakes @jchestershopify @kevinlinxc and I tophatted these flows on staging. We couldn't modify data on staging so we were only able to test some cases. cases highlighted with an asterisk were tested only on local

User with more than 180 mil downloads

MFA disabled user

• login to find MFA setup
  Confirmed the following routes redirected to MFA setup:
  /settings/edit
  /dashboard
  /gems/:rubygem_id/owners
  /profile/api_keys
  /profile/api_keys/new
  /notifier
  /sessions/verify
• error for gem push
• error for gem yank
• error for gem add owner
• error for gem remove owner
• error for gem signin

MFA UI only user

• login to find banner and redirect to settings, cannot navigate to authenticated pages
  Confirmed the following routes redirected to edit settings:
  /dashboard
  /gems/:rubygem_id/owners
  /profile/api_keys
  /profile/api_keys/new
  /notifier
  /sessions/verify
• error for gem push*
• error for gem yank*
• error for gem add owner*
• error for gem remove owner*
• error for gem signin

MFA UI_and_gem_signin user

• nothing in login
• no error for gem push
• no error for gem yank
• no error for gem add owner
• no error for gem remove owner
• no error for gem signin

User with 165-180 mil downloads

MFA disabled user

• login to find MFA setup, can navigate away*
• warning for gem push*
• warning for gem yank*
• warning for gem add owner*
• warning for gem remove owner*

MFA UI only user

• login to find edit settings with warnings, can navigate away*
• warning for gem push*
• warning for gem yank*
• warning for gem add owner*
• warning for gem remove owner*

User with less than 165 mil downloads

MFA disabled user

• nothing in login
• no error or warnings for gem push
• no error or warnings for gem yank
• no error or warnings for gem add owner
• no error or warnings for gem remove owner

MFA UI only user

• nothing in login*
• no error or warnings for gem push*
• no error or warnings for gem yank*
• no error or warnings for gem add owner*
• no error or warnings for gem remove owner*

*unable to test on staging, tested on local machine

[bettymakes]

✅ Everything is complete in the check list besides the enhancement feature, which was not required for the release. We should be good to close this 🙌