I proceeded with Phase 1 step 1 (phone-first auth + OTP hardening) and updated the plan context. Here’s the current state and the next steps.

What I implemented

Phone-first auth endpoints with OTP → JWT issuance.
views.py
urls.py
Phone normalization (KSA-focused, E.164 or Saudi mobile) and validation.
phone.py
serializers.py
OTP protections: rate limit, resend cooldown, attempt counting.
otp.py
models.py
Email is now optional to allow phone-only users.
models.py
0002_phone_auth_fields.py
Admin OTP visibility improved.
admin.py
Risks updated.
risks.md

backend/apps/accounts/migrations/0002_phone_auth_fields.py

@@ -0,0 +1,34 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("accounts", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="user",
+            name="email",
+            field=models.EmailField(blank=True, max_length=254, null=True, unique=True),
+        ),
+        migrations.AddField(
+            model_name="phoneotp",
+            name="attempt_count",
+            field=models.PositiveSmallIntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="phoneotp",
+            name="max_attempts",
+            field=models.PositiveSmallIntegerField(default=5),
+        ),
+        migrations.AddField(
+            model_name="phoneotp",
+            name="purpose",
+            field=models.CharField(
+                choices=[("auth", "Authentication"), ("verify", "Phone Verification")],
+                default="auth",
+                max_length=20,
+            ),
+        ),
+    ]