Add admin login API and remove hardcoded secrets
- Add token-based admin login/logout/me endpoints - Bootstrap admin from ADMIN_USERNAME/ADMIN_PASSWORD in Docker entrypoint - Read ALLOWED_HOSTS and CORS from env only (no hardcoded server IPs) - Keep docs/Postman/tests free of real credentials - Cover login and auth flows with 31 local API tests Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -1,7 +1,34 @@
|
||||
from rest_framework import serializers
|
||||
from django.contrib.auth import authenticate
|
||||
from .models import ContactUs, Composition, Campaign, CompositionImage
|
||||
|
||||
|
||||
class AdminLoginSerializer(serializers.Serializer):
|
||||
"""Serializer for admin username/password login."""
|
||||
username = serializers.CharField(required=True)
|
||||
password = serializers.CharField(required=True, write_only=True)
|
||||
|
||||
def validate(self, data):
|
||||
username = data.get('username', '').strip()
|
||||
password = data.get('password', '')
|
||||
|
||||
if not username or not password:
|
||||
raise serializers.ValidationError('Username and password are required.')
|
||||
|
||||
user = authenticate(username=username, password=password)
|
||||
if user is None:
|
||||
raise serializers.ValidationError('Invalid username or password.')
|
||||
if not user.is_active:
|
||||
raise serializers.ValidationError('This account is disabled.')
|
||||
if not (user.is_staff or user.is_superuser):
|
||||
raise serializers.ValidationError(
|
||||
'This account does not have admin access.'
|
||||
)
|
||||
|
||||
data['user'] = user
|
||||
return data
|
||||
|
||||
|
||||
class ContactUsSerializer(serializers.ModelSerializer):
|
||||
"""
|
||||
Serializer for ContactUs model.
|
||||
|
||||
Reference in New Issue
Block a user