feat: deprecate email, pre-verify users + documentation
This commit is contained in:
+2
-3
@@ -10,12 +10,11 @@ This file tracks known gaps and risks to address in future iterations.
|
||||
- `USERNAME_FIELD` is now `"phone_number"`; `REQUIRED_FIELDS = []`; `create_superuser` accepts `phone_number`. Admin and `createsuperuser` work correctly for phone-only users.
|
||||
- Password token obtain endpoint (`/api/auth/token/`) is deprecated (`410 Gone`); phone OTP flow is the login source of truth.
|
||||
- OTP purpose isolation is enforced at verification endpoint boundaries (`/otp/verify` accepts only `verify`, `/phone/verify` accepts only `auth`).
|
||||
- Django admin user configuration remains email-centric (ordering/add form defaults), increasing operational friction for phone-only accounts.
|
||||
- Multiple serializers/model `__str__` paths in non-auth apps still fallback to `user.email`; phone-only users may get poor display/audit clarity.
|
||||
- Django admin user configuration now orders by `phone_number` and requests it on add forms to reduce friction for phone-only accounts.
|
||||
- Phone auth request now creates the customer record before issuing OTPs and marks `is_phone_verified` once `/api/auth/phone/verify/` succeeds, so phone numbers remain first-class during onboarding.
|
||||
|
||||
## Next Auth Review Points
|
||||
- DB-level guardrails for `accounts_user.phone_number` are now enforced (`NOT NULL`, `UNIQUE`, E.164 check constraint).
|
||||
- Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state).
|
||||
- Abuse-control implementation for `/api/auth/phone/request/` is in place (IP throttling + persisted device signal); next step is monitor false positives and tune limits.
|
||||
- Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source).
|
||||
- Add explicit tests for remaining phone-first invariants (verified-phone guards and any legacy-path regressions).
|
||||
|
||||
Reference in New Issue
Block a user