`accounts` app

User accounts, password management, email verification, and GDPR-compliant data export / account deletion.

Models (4)

User — extended Django user with UUID PK, email-as-username, encrypted phone
UserEmail — secondary verified emails for one user; SSO uses these for matching
UserConsent — captures consent template acceptances (privacy / terms / marketing / analytics)
DataExport — async data-export job state (status, S3 URL, expires_at)

URL	Purpose
`POST /api/auth/register/`	Self-signup with email + password
`POST /api/auth/login/`	Email + password → sets JWT cookies
`POST /api/auth/logout/`	Clears cookies, blacklists refresh token
`GET /api/auth/me/`	Current user profile
`PATCH /api/auth/me/`	Update first/last name, phone
`POST /api/auth/me/password/`	Change password
`POST /api/auth/me/emails/add/`	Add a secondary email
`POST /api/auth/me/emails/verify/`	Verify a secondary email via token
`POST /api/auth/password-reset/request/`	Request reset email
`POST /api/auth/password-reset/confirm/`	Submit new password with token
`POST /api/auth/me/export/`	Trigger GDPR data export (Celery → S3)
`POST /api/auth/me/delete/`	Request account deletion (30-day grace period)
`POST /api/auth/admin/password-reset/`	Admin-initiated password reset (org admin only)

send_email_verification(user_email_id) — sends verification email
send_temporary_password_notification(user_id, temp_password) — admin reset flow
export_user_data(data_export_id) — bundles all user data, gzips, uploads to S3, generates presigned URL valid for 7 days

POST /api/auth/me/delete/ doesn't immediately delete. It:

Cancelling: signing in within 30 days clears deletion_requested_at.

Production uses Django's default PBKDF2 with 870K iterations. Tests override to MD5 via PASSWORD_HASHERS to keep tests fast.

Endpoint	Throttle
`register/`	`account_request` (3/hour prod)
`login/`, `logout/`	`auth` (10/min prod)
`password-reset/request/`	`password_reset` (5/hour prod)
`admin/password-reset/`	`admin_password_reset_target` (10/hour prod)