feat: phone auth tests and fixes

2026-03-13 23:48:40 +03:00
parent 38e5ece96f
commit 4026b94c3a
6 changed files with 116 additions and 11 deletions
@@ -1,5 +1,4 @@
 from django.contrib.auth import get_user_model
-from django.shortcuts import get_object_or_404
 from rest_framework import generics, permissions, status
 from rest_framework.response import Response
 from django.utils.translation import gettext as _
@@ -70,7 +69,10 @@ class OTPVerifyView(APIView):
        serializer = OTPVerifySerializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        data = serializer.validated_data
-        otp = get_object_or_404(PhoneOTP, id=data["request_id"])
+        # Purpose isolation: verification endpoint accepts only verify-purpose OTPs.
+        otp = PhoneOTP.objects.filter(id=data["request_id"], purpose=OtpPurpose.VERIFY).first()
+        if not otp:
+            return Response({"detail": _("Invalid or expired code")}, status=status.HTTP_400_BAD_REQUEST)
        if not verify_otp(otp, data["code"]):
            return Response({"detail": _("Invalid or expired code")}, status=status.HTTP_400_BAD_REQUEST)

@@ -133,7 +135,10 @@ class PhoneAuthVerifyView(APIView):
        serializer = PhoneAuthVerifySerializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        data = serializer.validated_data
-        otp = get_object_or_404(PhoneOTP, id=data["request_id"])
+        # Purpose isolation: login endpoint accepts only auth-purpose OTPs.
+        otp = PhoneOTP.objects.filter(id=data["request_id"], purpose=OtpPurpose.AUTH).first()
+        if not otp:
+            return Response({"detail": _("Invalid or expired code")}, status=status.HTTP_400_BAD_REQUEST)
        if not verify_otp(otp, data["code"]):
            return Response({"detail": _("Invalid or expired code")}, status=status.HTTP_400_BAD_REQUEST)