# Risks And Gaps

This file tracks known gaps and risks to address in future iterations.

## Security And Auth
- Phone normalization is KSA-focused and minimal; broaden for multi-country use.
- OTP protections are basic; add device fingerprinting and IP throttling if needed.
- Authentica OTP provider is implemented (SMS + WhatsApp via Authentica OTP); Unifonic remains a scaffold.
- Social login is a placeholder.
- `USERNAME_FIELD` is now `"phone_number"`; `REQUIRED_FIELDS = []`; `create_superuser` accepts `phone_number`. Admin and `createsuperuser` work correctly for phone-only users.

## Booking Integrity
- Availability checks and overlap prevention are now enforced for staff bookings.
- **Race condition — booking overlap check is not atomic:** `validate_booking_request` runs the overlap query and returns; the view then calls `serializer.save()` in a separate step with no lock held. Two concurrent POST `/api/bookings/` requests for the same staff slot will both pass validation and both commit. Fix: wrap the overlap check and booking insert in a `select_for_update()` query (or use serializable transaction isolation) so only one request can hold the lock at a time.
- No timezone handling or business hours enforcement.
- No cancellation rules or refund logic.

## Payments
- Moyasar payment creation, webhook reconciliation, and idempotency are implemented.
- Moyasar capture and refund are implemented in the gateway; API endpoints for admin-initiated capture/refund can be added when needed.

## Data And UX
- Ratings are not recalculated from reviews.
- No image upload or storage strategy for photos.
- Booking lifecycle notifications are implemented; Authentica can deliver SMS when NOTIFICATION_PROVIDER=authentica.
- Localization foundations are in progress; full Arabic translation coverage and RTL QA are still pending.

## Ops And Compliance
- No audit logs for admin actions.
- No multi-tenant isolation or data export tooling.
- No GDPR/PDPL data retention policies defined.