feat(users): apply django password validators in auth flows

apps/users/tests/test_api_views.py

@@ -113,8 +113,8 @@ class UserApiViewTests(APITestCase):
             {
                 "mobile": "09123330001",
                 "code": "123456",
-                "password": "new-secret123",
-                "re_password": "new-secret123",
+                "password": "NewSecret1!",
+                "re_password": "NewSecret1!",
             },
             format="json",
         )
@@ -123,7 +123,7 @@ class UserApiViewTests(APITestCase):
         reset_password_with_otp.assert_called_once_with(
             mobile="09123330001",
             code="123456",
-            password="new-secret123",
+            password="NewSecret1!",
         )
 
     def test_reset_password_view_rejects_invalid_mobile_format(self):
@@ -132,8 +132,8 @@ class UserApiViewTests(APITestCase):
             {
                 "mobile": "9123330001",
                 "code": "123456",
-                "password": "new-secret123",
-                "re_password": "new-secret123",
+                "password": "NewSecret1!",
+                "re_password": "NewSecret1!",
             },
             format="json",
         )
@@ -141,6 +141,21 @@ class UserApiViewTests(APITestCase):
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertIn("error", response.data)
 
+    def test_reset_password_view_rejects_weak_password(self):
+        response = self.client.post(
+            "/api/users/password/reset/",
+            {
+                "mobile": "09123330001",
+                "code": "123456",
+                "password": "weakpass",
+                "re_password": "weakpass",
+            },
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("Password must be at least 8 characters", response.data["error"])
+
     @patch("apps.users.api.views.change_password")
     def test_change_password_view_requires_auth_and_calls_service(self, change_password):
         self.client.force_authenticate(user=self.user)
@@ -149,8 +164,8 @@ class UserApiViewTests(APITestCase):
             "/api/users/password/change/",
             {
                 "old_password": "secret123",
-                "new_password": "new-secret123",
-                "re_password": "new-secret123",
+                "new_password": "NewSecret1!",
+                "re_password": "NewSecret1!",
             },
             format="json",
         )
@@ -159,9 +174,25 @@ class UserApiViewTests(APITestCase):
         change_password.assert_called_once_with(
             user=self.user,
             old_password="secret123",
-            new_password="new-secret123",
+            new_password="NewSecret1!",
         )
 
+    def test_change_password_view_rejects_reused_password(self):
+        self.client.force_authenticate(user=self.user)
+
+        response = self.client.patch(
+            "/api/users/password/change/",
+            {
+                "old_password": "secret123",
+                "new_password": "secret123",
+                "re_password": "secret123",
+            },
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("رمز عبور جدید", response.data["error"])
+
     @patch("apps.users.api.views.logout_user")
     def test_logout_view_calls_service(self, logout_user):
         self.client.force_authenticate(user=self.user)

apps/users/tests/test_auth_services.py

@@ -119,26 +119,42 @@ class AuthServiceTests(TestCase):
 
     @patch("apps.users.services.auth.get_redis_connection")
     def test_reset_password_with_otp_updates_password(self, get_redis_connection):
-        user = User.objects.create_user(mobile="09120000007", password="oldsecret")
+        user = User.objects.create_user(mobile="09120000007", password="OldSecret1!")
         fake_redis = FakeRedisConnection()
         fake_redis.setex("verification_code:09120000007", 120, "12345")
         get_redis_connection.return_value = fake_redis
 
-        reset_password_with_otp("09120000007", "12345", "newsecret")
+        reset_password_with_otp("09120000007", "12345", "NewSecret1!")
 
         user.refresh_from_db()
-        self.assertTrue(user.check_password("newsecret"))
+        self.assertTrue(user.check_password("NewSecret1!"))
         self.assertNotIn("verification_code:09120000007", fake_redis.store)
 
     def test_change_password_updates_existing_user_password(self):
-        user = User.objects.create_user(mobile="09120000008", password="oldsecret")
+        user = User.objects.create_user(mobile="09120000008", password="OldSecret1!")
 
-        change_password(user, "oldsecret", "newsecret")
+        change_password(user, "OldSecret1!", "NewSecret1!")
 
         user.refresh_from_db()
-        self.assertTrue(user.check_password("newsecret"))
+        self.assertTrue(user.check_password("NewSecret1!"))
         self.assertIsNotNone(user.password_updated_at)
 
+    @patch("apps.users.services.auth.get_redis_connection")
+    def test_reset_password_with_otp_rejects_reused_password(self, get_redis_connection):
+        User.objects.create_user(mobile="09120000070", password="OldSecret1!")
+        fake_redis = FakeRedisConnection()
+        fake_redis.setex("verification_code:09120000070", 120, "12345")
+        get_redis_connection.return_value = fake_redis
+
+        with self.assertRaises(ValidationError):
+            reset_password_with_otp("09120000070", "12345", "OldSecret1!")
+
+    def test_change_password_rejects_weak_password(self):
+        user = User.objects.create_user(mobile="09120000071", password="OldSecret1!")
+
+        with self.assertRaises(ValidationError):
+            change_password(user, "OldSecret1!", "weakpass")
+
     def test_logout_user_blacklists_refresh_token(self):
         user = User.objects.create_user(mobile="09120000009", password="secret123")
         refresh = str(RefreshToken.for_user(user))