2.1 KiB
2.1 KiB
Phone-first Auth Hardening
This ExecPlan follows docs/PLANS.md.
Purpose / Big Picture
Keep phone OTP as canonical login surface, preserve phone-first identity across serializers/admin/UI-facing strings, and lock regression tests around this contract.
Progress
- (2026-03-14 12:00 UTC) Plan created with test-first scope.
- (2026-03-14 13:55 UTC) Added tests for display fallback + phone auth error contracts.
- (2026-03-14 14:30 UTC) Implemented
User.display_name, serializer/admin updates, and docs updates. - Expand tests for OAuth linking policy and remaining phone-first invariants.
Surprises & Discoveries
- Observation: JWT test key warning appears in suite.
Evidence:
InsecureKeyLengthWarningduring accounts/salons pytest runs.
Decision Log
- Decision: Pre-create user on phone request; verify on phone verify. Rationale: deterministic onboarding lifecycle. Date/Author: 2026-03-14/Codex
- Decision: Add
User.display_nameand reuse everywhere. Rationale: stable fallback for phone-only accounts. Date/Author: 2026-03-14/Codex
Outcomes & Retrospective
Core phone-first hardening landed and tests pass for implemented scope. Remaining work is mainly policy (OAuth linking/conflict) plus extra invariants coverage.
Context and Orientation
- Auth endpoints:
backend/apps/accounts/views.py - User model/admin:
backend/apps/accounts/models.py,backend/apps/accounts/admin.py - Cross-app display paths:
backend/apps/salons/,backend/apps/bookings/
Plan of Work
- Keep adding invariant tests first.
- Finalize OAuth linking/conflict policy and enforce in auth services.
- Update docs/runbooks/risks with final contract.
Validation and Acceptance
From backend/:
python3 -m pytest backend/apps/accounts/tests backend/apps/salons/testsAcceptance:- Phone auth endpoints remain canonical and stable.
- Display paths show phone-first labels when email absent.
- New invariant tests pass.
Idempotence and Recovery
Auth hardening changes are additive and test-gated. Roll back by app-level revert if a contract regression is detected.