I proceeded with Phase 1 step 1 (phone-first auth + OTP hardening) and updated the plan context. Here’s the current state and the next steps.
What I implemented Phone-first auth endpoints with OTP → JWT issuance. views.py urls.py Phone normalization (KSA-focused, E.164 or Saudi mobile) and validation. phone.py serializers.py OTP protections: rate limit, resend cooldown, attempt counting. otp.py models.py Email is now optional to allow phone-only users. models.py 0002_phone_auth_fields.py Admin OTP visibility improved. admin.py Risks updated. risks.md
This commit is contained in:
+5
-4
@@ -3,10 +3,11 @@
|
||||
This file tracks known gaps and risks to address in future iterations.
|
||||
|
||||
## Security And Auth
|
||||
- Phone auth only verifies existing users. Add phone-first sign-up flow.
|
||||
- OTP rate limiting, resend cooldown, and abuse protections are missing.
|
||||
- Phone normalization/validation (E.164) not implemented.
|
||||
- Phone normalization is KSA-focused and minimal; broaden for multi-country use.
|
||||
- OTP protections are basic; add device fingerprinting and IP throttling if needed.
|
||||
- OTP provider adapters (Twilio/Unifonic) are scaffolds only; no real SMS/WhatsApp delivery yet.
|
||||
- Social login is a placeholder.
|
||||
- USERNAME_FIELD is still `email` while email can be null; verify admin/login flows.
|
||||
|
||||
## Booking Integrity
|
||||
- No availability checks or overlap prevention for staff/salon schedules.
|
||||
@@ -14,7 +15,7 @@ This file tracks known gaps and risks to address in future iterations.
|
||||
- No cancellation rules or refund logic.
|
||||
|
||||
## Payments
|
||||
- Payment integration is not implemented. Current API only stores records.
|
||||
- Payment integration is not implemented. Current API only stores records and a Moyasar scaffold exists.
|
||||
- Webhook handling and payment status reconciliation missing.
|
||||
- Idempotency handling for payment creation missing.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user