From 904acf415f9ddb82dc01080358e70161942bc299 Mon Sep 17 00:00:00 2001
From: mortezaei <mortezaei2324@gmail.com>
Date: Tue, 23 Sep 2025 13:07:07 +0330
Subject: [PATCH] feat(account): enhance user update and verification logic

- Updated UserProfileSerializer to handle password updates securely by hashing new passwords.
- Modified UserVerifyView to improve user creation and account takeover logic, ensuring unusable passwords are set for new and converted guest accounts.
---
 apps/account/serializers/user.py |  8 ++++++++
 apps/account/views/user.py       | 11 +++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/apps/account/serializers/user.py b/apps/account/serializers/user.py
index df34944..82adfc3 100644
--- a/apps/account/serializers/user.py
+++ b/apps/account/serializers/user.py
@@ -32,10 +32,18 @@ class UserProfileSerializer(serializers.ModelSerializer):
     #     return value
 
     def update(self, instance, validated_data):
+        # Pop the password from the data to handle it separately
+        password = validated_data.pop('password', None)
+
+        # Use the default update logic for all other fields
         for attr, value in validated_data.items():
             if value is not None:
                 setattr(instance, attr, value)
 
+        # If a new password was provided, hash and set it correctly
+        if password:
+            instance.set_password(password)
+
         instance.save()
         return instance
 
diff --git a/apps/account/views/user.py b/apps/account/views/user.py
index cf17cb0..b9b6a08 100644
--- a/apps/account/views/user.py
+++ b/apps/account/views/user.py
@@ -202,7 +202,7 @@ class UserVerifyView(CreateAPIView):
         device_id = kwargs.get('device_id') 
         user = User.objects.filter(email=email).first()
         if user:                
-            if kwargs['password']:
+            if kwargs.get('password'):
                 user.is_active = True
                 user.deletion_date = None
                 if device_id:
@@ -217,10 +217,17 @@ class UserVerifyView(CreateAPIView):
                 user = None
                 
             if not user:
+                # Create the user from the verified data
                 user = User.objects.create(**kwargs)
+                # Set a non-functional password to prevent authentication errors
+                user.set_unusable_password()
+                user.save()
             else:
+                # Taking over a guest account
                 user.email = email
-                user.fullname = kwargs['fullname']    
+                user.fullname = kwargs.get('fullname')
+                # Also set unusable password for converted guest accounts
+                user.set_unusable_password()
             
             if device_id:
                 user.device_id = device_id