fix(demo): block external account actions

apps/users/services/auth.py

@@ -81,7 +81,11 @@ def register_user_with_otp(mobile, code, password, first_name="", last_name=""):
 
 def generate_and_send_otp(mobile, mode):
     """Business logic for generating OTP, checking existence rules, and sending SMS."""
-    user_exists = User.objects.filter(mobile=mobile).exists()
+    user = User.objects.filter(mobile=mobile).only("is_demo").first()
+    user_exists = user is not None
+
+    if user and user.is_demo:
+        raise ValidationError({"mobile": "Demo accounts cannot use SMS verification."})
 
     if mode == "register" and user_exists:
         raise ValidationError({"mobile": "این شماره قبلاً ثبت‌نام شده است."})