feat: Implement passkey authentication, account management features, and a dedicated MFA login verification flow.

backend/apps/api/v1/auth/serializers.py

@@ -105,19 +105,36 @@ class UserOutputSerializer(serializers.ModelSerializer):
 
 
 class LoginInputSerializer(serializers.Serializer):
-    """Input serializer for user login."""
+    """Input serializer for user login.
+    
+    Accepts either 'email' or 'username' field for backward compatibility.
+    The view will use whichever is provided.
+    """
 
-    username = serializers.CharField(max_length=254, help_text="Username or email address")
+    # Accept both email and username - frontend sends "email", but we also support "username"
+    email = serializers.CharField(max_length=254, required=False, help_text="Email address")
+    username = serializers.CharField(max_length=254, required=False, help_text="Username (alternative to email)")
     password = serializers.CharField(max_length=128, style={"input_type": "password"}, trim_whitespace=False)
 
     def validate(self, attrs):
+        email = attrs.get("email")
         username = attrs.get("username")
         password = attrs.get("password")
 
-        if username and password:
-            return attrs
+        # Use email if provided, fallback to username
+        identifier = email or username
+        
+        if not identifier:
+            raise serializers.ValidationError("Either email or username is required.")
+        
+        if not password:
+            raise serializers.ValidationError("Password is required.")
+        
+        # Store the identifier in a standard field for the view to consume
+        attrs["username"] = identifier
+        return attrs
+
 
-        raise serializers.ValidationError("Must include username/email and password.")
 
 
 class LoginOutputSerializer(serializers.Serializer):
@@ -129,6 +146,53 @@ class LoginOutputSerializer(serializers.Serializer):
     message = serializers.CharField()
 
 
+class MFARequiredOutputSerializer(serializers.Serializer):
+    """Output serializer when MFA verification is required after password auth."""
+
+    mfa_required = serializers.BooleanField(default=True)
+    mfa_token = serializers.CharField(help_text="Temporary token for MFA verification")
+    mfa_types = serializers.ListField(
+        child=serializers.CharField(),
+        help_text="Available MFA types: 'totp', 'webauthn'",
+    )
+    user_id = serializers.IntegerField(help_text="User ID for reference")
+    message = serializers.CharField(default="MFA verification required")
+
+
+class MFALoginVerifyInputSerializer(serializers.Serializer):
+    """Input serializer for MFA login verification."""
+
+    mfa_token = serializers.CharField(help_text="Temporary MFA token from login response")
+    code = serializers.CharField(
+        max_length=6,
+        min_length=6,
+        required=False,
+        help_text="6-digit TOTP code from authenticator app",
+    )
+    # For passkey/webauthn - credential will be a complex object
+    credential = serializers.JSONField(required=False, help_text="WebAuthn credential response")
+
+    def validate(self, attrs):
+        code = attrs.get("code")
+        credential = attrs.get("credential")
+
+        if not code and not credential:
+            raise serializers.ValidationError(
+                "Either 'code' (TOTP) or 'credential' (passkey) is required."
+            )
+
+        return attrs
+
+
+class MFALoginVerifyOutputSerializer(serializers.Serializer):
+    """Output serializer for successful MFA verification."""
+
+    access = serializers.CharField()
+    refresh = serializers.CharField()
+    user = UserOutputSerializer()
+    message = serializers.CharField(default="Login successful")
+
+
 class SignupInputSerializer(serializers.ModelSerializer):
     """Input serializer for user registration."""