Add admin login API and remove hardcoded secrets

- Add token-based admin login/logout/me endpoints
- Bootstrap admin from ADMIN_USERNAME/ADMIN_PASSWORD in Docker entrypoint
- Read ALLOWED_HOSTS and CORS from env only (no hardcoded server IPs)
- Keep docs/Postman/tests free of real credentials
- Cover login and auth flows with 31 local API tests

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Shayan Azadi
2026-07-16 17:29:47 +03:30
parent 7e71d922d3
commit 50c9cf613f
13 changed files with 791 additions and 141 deletions

View File

@@ -1,7 +1,34 @@
from rest_framework import serializers
from django.contrib.auth import authenticate
from .models import ContactUs, Composition, Campaign, CompositionImage
class AdminLoginSerializer(serializers.Serializer):
"""Serializer for admin username/password login."""
username = serializers.CharField(required=True)
password = serializers.CharField(required=True, write_only=True)
def validate(self, data):
username = data.get('username', '').strip()
password = data.get('password', '')
if not username or not password:
raise serializers.ValidationError('Username and password are required.')
user = authenticate(username=username, password=password)
if user is None:
raise serializers.ValidationError('Invalid username or password.')
if not user.is_active:
raise serializers.ValidationError('This account is disabled.')
if not (user.is_staff or user.is_superuser):
raise serializers.ValidationError(
'This account does not have admin access.'
)
data['user'] = user
return data
class ContactUsSerializer(serializers.ModelSerializer):
"""
Serializer for ContactUs model.