mohd/Salon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
frontend/init
Salon/docs/execplans/auth-phone-first-hardening.md
T

49 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# Phone-first Auth Hardening
This ExecPlan follows `docs/PLANS.md`.
## Purpose / Big Picture
Keep phone OTP as canonical login surface, preserve phone-first identity across serializers/admin/UI-facing strings, and lock regression tests around this contract.
## Progress
- [x] (2026-03-14 12:00 UTC) Plan created with test-first scope.
- [x] (2026-03-14 13:55 UTC) Added tests for display fallback + phone auth error contracts.
- [x] (2026-03-14 14:30 UTC) Implemented `User.display_name`, serializer/admin updates, and docs updates.
- [ ] Expand tests for OAuth linking policy and remaining phone-first invariants.
## Surprises & Discoveries
- Observation: JWT test key warning appears in suite.
Evidence: `InsecureKeyLengthWarning` during accounts/salons pytest runs.
## Decision Log
- Decision: Pre-create user on phone request; verify on phone verify.
Rationale: deterministic onboarding lifecycle.
Date/Author: 2026-03-14/Codex
- Decision: Add `User.display_name` and reuse everywhere.
Rationale: stable fallback for phone-only accounts.
Date/Author: 2026-03-14/Codex
## Outcomes & Retrospective
Core phone-first hardening landed and tests pass for implemented scope. Remaining work is mainly policy (OAuth linking/conflict) plus extra invariants coverage.
## Context and Orientation
- Auth endpoints: `backend/apps/accounts/views.py`
- User model/admin: `backend/apps/accounts/models.py`, `backend/apps/accounts/admin.py`
- Cross-app display paths: `backend/apps/salons/`, `backend/apps/bookings/`
## Plan of Work
1. Keep adding invariant tests first.
2. Finalize OAuth linking/conflict policy and enforce in auth services.
3. Update docs/runbooks/risks with final contract.
## Validation and Acceptance
From `backend/`:
- `python3 -m pytest backend/apps/accounts/tests backend/apps/salons/tests`
Acceptance:
- Phone auth endpoints remain canonical and stable.
- Display paths show phone-first labels when email absent.
- New invariant tests pass.
## Idempotence and Recovery
Auth hardening changes are additive and test-gated. Roll back by app-level revert if a contract regression is detected.
Reference in New Issue View Git Blame Copy Permalink