mohd
dc68ecfe4c
Added initial migrations for accounts, salons, bookings, payments. 0001_initial.py 0001_initial.py 0001_initial.py 0001_initial.py Added demo seeding command. seed_demo.py OTP provider abstraction now includes Twilio + Unifonic adapter scaffolds (not implemented yet, they raise). otp.py Moyasar gateway scaffold added (not implemented yet, raises). gateway.py Added .env loading in settings and expanded .env.example for OTP and Moyasar. settings.py .env.example Captured current gaps/risks in a tracked doc as requested. risks.md Updated README with seeding guidance and risk doc pointer. README.md
30 lines
1.0 KiB
Markdown
30 lines
1.0 KiB
Markdown
# Risks And Gaps
|
|
|
|
This file tracks known gaps and risks to address in future iterations.
|
|
|
|
## Security And Auth
|
|
- Phone auth only verifies existing users. Add phone-first sign-up flow.
|
|
- OTP rate limiting, resend cooldown, and abuse protections are missing.
|
|
- Phone normalization/validation (E.164) not implemented.
|
|
- Social login is a placeholder.
|
|
|
|
## Booking Integrity
|
|
- No availability checks or overlap prevention for staff/salon schedules.
|
|
- No timezone handling or business hours enforcement.
|
|
- No cancellation rules or refund logic.
|
|
|
|
## Payments
|
|
- Payment integration is not implemented. Current API only stores records.
|
|
- Webhook handling and payment status reconciliation missing.
|
|
- Idempotency handling for payment creation missing.
|
|
|
|
## Data And UX
|
|
- Ratings are not recalculated from reviews.
|
|
- No image upload or storage strategy for photos.
|
|
- No notifications (email/SMS) beyond OTP scaffolding.
|
|
|
|
## Ops And Compliance
|
|
- No audit logs for admin actions.
|
|
- No multi-tenant isolation or data export tooling.
|
|
- No GDPR/PDPL data retention policies defined.
|