feat(users): apply django password validators in auth flows

apps/users/tests/test_api_views.py

@@ -113,8 +113,8 @@ class UserApiViewTests(APITestCase):
             {
                 "mobile": "09123330001",
                 "code": "123456",
-                "password": "new-secret123",
-                "re_password": "new-secret123",
+                "password": "NewSecret1!",
+                "re_password": "NewSecret1!",
             },
             format="json",
         )
@@ -123,7 +123,7 @@ class UserApiViewTests(APITestCase):
         reset_password_with_otp.assert_called_once_with(
             mobile="09123330001",
             code="123456",
-            password="new-secret123",
+            password="NewSecret1!",
         )
 
     def test_reset_password_view_rejects_invalid_mobile_format(self):
@@ -132,8 +132,8 @@ class UserApiViewTests(APITestCase):
             {
                 "mobile": "9123330001",
                 "code": "123456",
-                "password": "new-secret123",
-                "re_password": "new-secret123",
+                "password": "NewSecret1!",
+                "re_password": "NewSecret1!",
             },
             format="json",
         )
@@ -141,6 +141,21 @@ class UserApiViewTests(APITestCase):
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertIn("error", response.data)
 
+    def test_reset_password_view_rejects_weak_password(self):
+        response = self.client.post(
+            "/api/users/password/reset/",
+            {
+                "mobile": "09123330001",
+                "code": "123456",
+                "password": "weakpass",
+                "re_password": "weakpass",
+            },
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("Password must be at least 8 characters", response.data["error"])
+
     @patch("apps.users.api.views.change_password")
     def test_change_password_view_requires_auth_and_calls_service(self, change_password):
         self.client.force_authenticate(user=self.user)
@@ -149,8 +164,8 @@ class UserApiViewTests(APITestCase):
             "/api/users/password/change/",
             {
                 "old_password": "secret123",
-                "new_password": "new-secret123",
-                "re_password": "new-secret123",
+                "new_password": "NewSecret1!",
+                "re_password": "NewSecret1!",
             },
             format="json",
         )
@@ -159,9 +174,25 @@ class UserApiViewTests(APITestCase):
         change_password.assert_called_once_with(
             user=self.user,
             old_password="secret123",
-            new_password="new-secret123",
+            new_password="NewSecret1!",
         )
 
+    def test_change_password_view_rejects_reused_password(self):
+        self.client.force_authenticate(user=self.user)
+
+        response = self.client.patch(
+            "/api/users/password/change/",
+            {
+                "old_password": "secret123",
+                "new_password": "secret123",
+                "re_password": "secret123",
+            },
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("رمز عبور جدید", response.data["error"])
+
     @patch("apps.users.api.views.logout_user")
     def test_logout_view_calls_service(self, logout_user):
         self.client.force_authenticate(user=self.user)