feat(users): apply django password validators in auth flows

2026-05-03 20:02:14 +03:30
parent f04e9ba828
commit d1c4889d22
6 changed files with 315 additions and 196 deletions
--- a/apps/users/tests/test_auth_services.py
+++ b/apps/users/tests/test_auth_services.py
@@ -119,26 +119,42 @@ class AuthServiceTests(TestCase):

    @patch("apps.users.services.auth.get_redis_connection")
    def test_reset_password_with_otp_updates_password(self, get_redis_connection):
-        user = User.objects.create_user(mobile="09120000007", password="oldsecret")
+        user = User.objects.create_user(mobile="09120000007", password="OldSecret1!")
        fake_redis = FakeRedisConnection()
        fake_redis.setex("verification_code:09120000007", 120, "12345")
        get_redis_connection.return_value = fake_redis

-        reset_password_with_otp("09120000007", "12345", "newsecret")
+        reset_password_with_otp("09120000007", "12345", "NewSecret1!")

        user.refresh_from_db()
-        self.assertTrue(user.check_password("newsecret"))
+        self.assertTrue(user.check_password("NewSecret1!"))
        self.assertNotIn("verification_code:09120000007", fake_redis.store)

    def test_change_password_updates_existing_user_password(self):
-        user = User.objects.create_user(mobile="09120000008", password="oldsecret")
+        user = User.objects.create_user(mobile="09120000008", password="OldSecret1!")

-        change_password(user, "oldsecret", "newsecret")
+        change_password(user, "OldSecret1!", "NewSecret1!")

        user.refresh_from_db()
-        self.assertTrue(user.check_password("newsecret"))
+        self.assertTrue(user.check_password("NewSecret1!"))
        self.assertIsNotNone(user.password_updated_at)

+    @patch("apps.users.services.auth.get_redis_connection")
+    def test_reset_password_with_otp_rejects_reused_password(self, get_redis_connection):
+        User.objects.create_user(mobile="09120000070", password="OldSecret1!")
+        fake_redis = FakeRedisConnection()
+        fake_redis.setex("verification_code:09120000070", 120, "12345")
+        get_redis_connection.return_value = fake_redis
+
+        with self.assertRaises(ValidationError):
+            reset_password_with_otp("09120000070", "12345", "OldSecret1!")
+
+    def test_change_password_rejects_weak_password(self):
+        user = User.objects.create_user(mobile="09120000071", password="OldSecret1!")
+
+        with self.assertRaises(ValidationError):
+            change_password(user, "OldSecret1!", "weakpass")
+
    def test_logout_user_blacklists_refresh_token(self):
        user = User.objects.create_user(mobile="09120000009", password="secret123")
        refresh = str(RefreshToken.for_user(user))