fix(users): validate password reset mobile input

2026-05-03 17:10:00 +03:30
parent 0823267544
commit 8ff1e4fa61
2 changed files with 48 additions and 8 deletions
--- a/apps/users/tests/test_api_views.py
+++ b/apps/users/tests/test_api_views.py
@@ -65,6 +65,20 @@ class UserApiViewTests(APITestCase):
            mode="login",
        )

+    @patch("apps.users.api.views.generate_and_send_otp")
+    def test_send_otp_view_supports_forget_password_mode(self, generate_and_send_otp):
+        response = self.client.post(
+            "/api/users/otp/send/",
+            {"mobile": "09123330001", "mode": "forget_password"},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        generate_and_send_otp.assert_called_once_with(
+            mobile="09123330001",
+            mode="forget_password",
+        )
+
    @patch("apps.users.api.views.login_with_password")
    def test_login_view_returns_tokens(self, login_with_password):
        login_with_password.return_value = {"access": "a", "refresh": "r"}
@@ -112,6 +126,21 @@ class UserApiViewTests(APITestCase):
            password="new-secret123",
        )

+    def test_reset_password_view_rejects_invalid_mobile_format(self):
+        response = self.client.post(
+            "/api/users/password/reset/",
+            {
+                "mobile": "9123330001",
+                "code": "123456",
+                "password": "new-secret123",
+                "re_password": "new-secret123",
+            },
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("error", response.data)
+
    @patch("apps.users.api.views.change_password")
    def test_change_password_view_requires_auth_and_calls_service(self, change_password):
        self.client.force_authenticate(user=self.user)