# Phone-first Auth Hardening This ExecPlan follows `docs/PLANS.md`. ## Purpose / Big Picture Keep phone OTP as canonical login surface, preserve phone-first identity across serializers/admin/UI-facing strings, and lock regression tests around this contract. ## Progress - [x] (2026-03-14 12:00 UTC) Plan created with test-first scope. - [x] (2026-03-14 13:55 UTC) Added tests for display fallback + phone auth error contracts. - [x] (2026-03-14 14:30 UTC) Implemented `User.display_name`, serializer/admin updates, and docs updates. - [ ] Expand tests for OAuth linking policy and remaining phone-first invariants. ## Surprises & Discoveries - Observation: JWT test key warning appears in suite. Evidence: `InsecureKeyLengthWarning` during accounts/salons pytest runs. ## Decision Log - Decision: Pre-create user on phone request; verify on phone verify. Rationale: deterministic onboarding lifecycle. Date/Author: 2026-03-14/Codex - Decision: Add `User.display_name` and reuse everywhere. Rationale: stable fallback for phone-only accounts. Date/Author: 2026-03-14/Codex ## Outcomes & Retrospective Core phone-first hardening landed and tests pass for implemented scope. Remaining work is mainly policy (OAuth linking/conflict) plus extra invariants coverage. ## Context and Orientation - Auth endpoints: `backend/apps/accounts/views.py` - User model/admin: `backend/apps/accounts/models.py`, `backend/apps/accounts/admin.py` - Cross-app display paths: `backend/apps/salons/`, `backend/apps/bookings/` ## Plan of Work 1. Keep adding invariant tests first. 2. Finalize OAuth linking/conflict policy and enforce in auth services. 3. Update docs/runbooks/risks with final contract. ## Validation and Acceptance From `backend/`: - `python3 -m pytest backend/apps/accounts/tests backend/apps/salons/tests` Acceptance: - Phone auth endpoints remain canonical and stable. - Display paths show phone-first labels when email absent. - New invariant tests pass. ## Idempotence and Recovery Auth hardening changes are additive and test-gated. Roll back by app-level revert if a contract regression is detected.