mohd/Salon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: update docs

Browse Source
This commit is contained in:
mohd
2026-03-14 01:06:42 +03:00
parent eb88f23d28
commit 9b87eb74d7
2 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/risks.md
+2 -2
View File
@@ -4,7 +4,7 @@ This file tracks known gaps and risks to address in future iterations.
## Security And Auth
- Phone normalization is KSA-focused and minimal; broaden for multi-country use.
- OTP protections are basic; add device fingerprinting and IP throttling if needed.
- OTP protections now include per-phone limits plus `/phone/request` IP/device window controls; thresholds still need production tuning.
- Authentica OTP provider is implemented (SMS + WhatsApp via Authentica OTP).
- Social login is a placeholder.
- `USERNAME_FIELD` is now `"phone_number"`; `REQUIRED_FIELDS = []`; `create_superuser` accepts `phone_number`. Admin and `createsuperuser` work correctly for phone-only users.
@@ -16,7 +16,7 @@ This file tracks known gaps and risks to address in future iterations.
## Next Auth Review Points
- DB-level guardrails for `accounts_user.phone_number` are now enforced (`NOT NULL`, `UNIQUE`, E.164 check constraint).
- Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state).
- Expand abuse prevention beyond per-phone cooldown (IP throttling, device fingerprint, risk signals).
- Abuse-control implementation for `/api/auth/phone/request/` is in place (IP throttling + persisted device signal); next step is monitor false positives and tune limits.
- Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source).
- Add explicit tests for remaining phone-first invariants (verified-phone guards and any legacy-path regressions).
docs/runbooks/auth_otp_failures.md
+1
View File
@@ -26,6 +26,7 @@ Guide for diagnosing and mitigating OTP send or verify failures in phone-first a
- If provider credentials are missing or invalid, fix the environment variables and restart the API process.
- If the provider is down, temporarily switch to `OTP_PROVIDER=console` for non-production environments and notify support.
- If rate limits are triggered, validate `OTP_MAX_PER_WINDOW`, `OTP_WINDOW_MINUTES`, and `OTP_RESEND_COOLDOWN_SECONDS` values and confirm client behavior is not retrying aggressively.
- For phone-login abuse spikes, also validate `PHONE_AUTH_IP_MAX_PER_WINDOW`, `PHONE_AUTH_DEVICE_MAX_PER_WINDOW`, and `PHONE_AUTH_RISK_WINDOW_MINUTES`.
- If verification is failing, confirm server time is correct and `OTP_EXPIRY_MINUTES` is appropriate.
## Rollback / Escalation