fix: deprecate passwords, use phone auth source of truth

backend/apps/accounts/tests/test_phone_first_enforcement.py

@@ -91,3 +91,17 @@ def test_db_rejects_duplicate_phone_number():
     User.objects.create_user(phone_number="+966512345678")
     with pytest.raises(IntegrityError):
         User.objects.create_user(phone_number="+966512345678")
+
+
+@pytest.mark.django_db
+def test_password_token_endpoint_is_disabled(client):
+    User.objects.create_user(phone_number="+966512345678", password="StrongPass123")
+
+    response = client.post(
+        reverse("token_obtain_pair"),
+        {"phone_number": "+966512345678", "password": "StrongPass123"},
+        content_type="application/json",
+    )
+
+    assert response.status_code == 410
+    assert "detail" in response.json()