mohd
46af911a06
What I implemented Phone-first auth endpoints with OTP → JWT issuance. views.py urls.py Phone normalization (KSA-focused, E.164 or Saudi mobile) and validation. phone.py serializers.py OTP protections: rate limit, resend cooldown, attempt counting. otp.py models.py Email is now optional to allow phone-only users. models.py 0002_phone_auth_fields.py Admin OTP visibility improved. admin.py Risks updated. risks.md
1.2 KiB
1.2 KiB
Risks And Gaps
This file tracks known gaps and risks to address in future iterations.
Security And Auth
- Phone normalization is KSA-focused and minimal; broaden for multi-country use.
- OTP protections are basic; add device fingerprinting and IP throttling if needed.
- OTP provider adapters (Twilio/Unifonic) are scaffolds only; no real SMS/WhatsApp delivery yet.
- Social login is a placeholder.
- USERNAME_FIELD is still
emailwhile email can be null; verify admin/login flows.
Booking Integrity
- No availability checks or overlap prevention for staff/salon schedules.
- No timezone handling or business hours enforcement.
- No cancellation rules or refund logic.
Payments
- Payment integration is not implemented. Current API only stores records and a Moyasar scaffold exists.
- Webhook handling and payment status reconciliation missing.
- Idempotency handling for payment creation missing.
Data And UX
- Ratings are not recalculated from reviews.
- No image upload or storage strategy for photos.
- No notifications (email/SMS) beyond OTP scaffolding.
Ops And Compliance
- No audit logs for admin actions.
- No multi-tenant isolation or data export tooling.
- No GDPR/PDPL data retention policies defined.