chore: update docs
This commit is contained in:
+2
-2
@@ -4,7 +4,7 @@ This file tracks known gaps and risks to address in future iterations.
|
||||
|
||||
## Security And Auth
|
||||
- Phone normalization is KSA-focused and minimal; broaden for multi-country use.
|
||||
- OTP protections are basic; add device fingerprinting and IP throttling if needed.
|
||||
- OTP protections now include per-phone limits plus `/phone/request` IP/device window controls; thresholds still need production tuning.
|
||||
- Authentica OTP provider is implemented (SMS + WhatsApp via Authentica OTP).
|
||||
- Social login is a placeholder.
|
||||
- `USERNAME_FIELD` is now `"phone_number"`; `REQUIRED_FIELDS = []`; `create_superuser` accepts `phone_number`. Admin and `createsuperuser` work correctly for phone-only users.
|
||||
@@ -16,7 +16,7 @@ This file tracks known gaps and risks to address in future iterations.
|
||||
## Next Auth Review Points
|
||||
- DB-level guardrails for `accounts_user.phone_number` are now enforced (`NOT NULL`, `UNIQUE`, E.164 check constraint).
|
||||
- Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state).
|
||||
- Expand abuse prevention beyond per-phone cooldown (IP throttling, device fingerprint, risk signals).
|
||||
- Abuse-control implementation for `/api/auth/phone/request/` is in place (IP throttling + persisted device signal); next step is monitor false positives and tune limits.
|
||||
- Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source).
|
||||
- Add explicit tests for remaining phone-first invariants (verified-phone guards and any legacy-path regressions).
|
||||
|
||||
|
||||
Reference in New Issue
Block a user