feat: Implement email change cancellation, location search, and admin anomaly detection endpoints.

backend/apps/api/v1/accounts/urls.py

@@ -112,6 +112,8 @@ urlpatterns = [
     path("profile/avatar/delete/", views.delete_avatar, name="delete_avatar"),
     # Login history endpoint
     path("login-history/", views.get_login_history, name="get_login_history"),
+    # Email change cancellation endpoint
+    path("email-change/cancel/", views.cancel_email_change, name="cancel_email_change"),
     # Magic Link (Login by Code) endpoints
     path("magic-link/request/", views_magic_link.request_magic_link, name="request_magic_link"),
     path("magic-link/verify/", views_magic_link.verify_magic_link, name="verify_magic_link"),

backend/apps/api/v1/accounts/views.py

@@ -1640,3 +1640,95 @@ def get_login_history(request):
             "count": len(results),
         }
     )
+
+
+@extend_schema(
+    operation_id="cancel_email_change",
+    summary="Cancel pending email change",
+    description=(
+        "Cancel a pending email change request. This will clear the new_email field "
+        "and prevent the email change from being completed."
+    ),
+    responses={
+        200: {
+            "description": "Email change cancelled or no pending change found",
+            "example": {
+                "detail": "Email change cancelled",
+                "had_pending_change": True,
+                "cancelled_email": "newemail@example.com",
+            },
+        },
+        401: {
+            "description": "Authentication required",
+            "example": {"detail": "Authentication required"},
+        },
+    },
+    tags=["Account Management"],
+)
+@api_view(["POST"])
+@permission_classes([IsAuthenticated])
+def cancel_email_change(request):
+    """
+    Cancel a pending email change request.
+
+    This endpoint allows users to cancel their pending email change
+    if they change their mind before completing the verification.
+
+    **Authentication Required**: User must be logged in.
+    """
+    try:
+        user = request.user
+
+        # Check if user has a pending email change
+        pending_email = user.pending_email
+
+        if pending_email:
+            # Clear the pending email
+            user.pending_email = None
+            user.save(update_fields=["pending_email"])
+
+            logger.info(
+                f"User {user.username} cancelled email change to {pending_email}",
+                extra={
+                    "user": user.username,
+                    "user_id": user.user_id,
+                    "cancelled_email": pending_email,
+                    "action": "email_change_cancelled",
+                },
+            )
+
+            return Response(
+                {
+                    "success": True,
+                    "detail": "Email change cancelled",
+                    "had_pending_change": True,
+                    "cancelled_email": pending_email,
+                },
+                status=status.HTTP_200_OK,
+            )
+
+        # No pending change, but still success (idempotent)
+        return Response(
+            {
+                "success": True,
+                "detail": "No pending email change found",
+                "had_pending_change": False,
+                "cancelled_email": None,
+            },
+            status=status.HTTP_200_OK,
+        )
+
+    except Exception as e:
+        capture_and_log(
+            e,
+            f"Cancel email change for user {request.user.username}",
+            source="api",
+            request=request,
+        )
+        return Response(
+            {
+                "success": False,
+                "error": f"Error cancelling email change: {str(e)}",
+            },
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )