mohd/Salon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: update auth progress

Browse Source
This commit is contained in:
mohd
2026-03-14 00:32:57 +03:00
parent 5ece1036cd
commit c391a9b8e5
1 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/risks.md
+1 -2
View File
@@ -14,8 +14,7 @@ This file tracks known gaps and risks to address in future iterations.
- Multiple serializers/model `__str__` paths in non-auth apps still fallback to `user.email`; phone-only users may get poor display/audit clarity. - Multiple serializers/model `__str__` paths in non-auth apps still fallback to `user.email`; phone-only users may get poor display/audit clarity.
## Next Auth Review Points ## Next Auth Review Points
- Enforce normalized E.164 phone format at model/DB boundary (constraints, indexing, uniqueness behavior with nullable fields). - DB-level guardrails for `accounts_user.phone_number` are now enforced (`NOT NULL`, `UNIQUE`, E.164 check constraint).
- Add DB-level non-null + format guardrails for `accounts_user.phone_number` to complement service-level normalization.
- Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state). - Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state).
- Expand abuse prevention beyond per-phone cooldown (IP throttling, device fingerprint, risk signals). - Expand abuse prevention beyond per-phone cooldown (IP throttling, device fingerprint, risk signals).
- Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source). - Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source).