doc: third-party auth

Eurock

.gitignore

@@ -24,6 +24,9 @@ node_modules/
 # compiled documentation
 site/
 
+# rollup-bundle-visualizer report
+.bundle-size-report.html
+
 ### Redis ###
 
 # Ignore redis binary dump (dump.rdb) files

api/admin.py

@@ -17,6 +17,15 @@ class ApiClientAdmin(admin.ModelAdmin):
         "owner__nick_name",
     )
     autocomplete_fields = ("owner", "groups", "client_permissions")
+    readonly_fields = ("hmac_key",)
+    actions = ("reset_hmac_key",)
+
+    @admin.action(permissions=["change"], description=_("Reset HMAC key"))
+    def reset_hmac_key(self, _request: HttpRequest, queryset: QuerySet[ApiClient]):
+        objs = list(queryset)
+        for obj in objs:
+            obj.reset_hmac(commit=False)
+        ApiClient.objects.bulk_update(objs, fields=["hmac_key"])
 
 
 @admin.register(ApiKey)

api/api.py

@@ -0,0 +1,16 @@
+from ninja_extra import ControllerBase, api_controller, route
+
+from api.auth import ApiKeyAuth
+from api.schemas import ApiClientSchema
+
+
+@api_controller("/client")
+class ApiClientController(ControllerBase):
+    @route.get(
+        "/me",
+        auth=[ApiKeyAuth()],
+        response=ApiClientSchema,
+        url_name="api-client-infos",
+    )
+    def get_client_info(self):
+        return self.context.request.auth

api/forms.py

@@ -0,0 +1,35 @@
+from django import forms
+from django.forms import HiddenInput
+from django.utils.translation import gettext_lazy as _
+
+
+class ThirdPartyAuthForm(forms.Form):
+    """Form to complete to authenticate on the sith from a third-party app.
+
+    For the form to be valid, the user approve the EULA (french: CGU)
+    and give its username from the third-party app.
+    """
+
+    cgu_accepted = forms.BooleanField(
+        required=True,
+        label=_("I have read and I accept the terms and conditions of use"),
+        error_messages={
+            "required": _("You must approve the terms and conditions of use.")
+        },
+    )
+    is_username_valid = forms.BooleanField(
+        required=True,
+        error_messages={"required": _("You must confirm that this is your username.")},
+    )
+    client_id = forms.IntegerField(widget=HiddenInput())
+    third_party_app = forms.CharField(widget=HiddenInput())
+    privacy_link = forms.URLField(widget=HiddenInput())
+    username = forms.CharField(widget=HiddenInput())
+    callback_url = forms.URLField(widget=HiddenInput())
+    signature = forms.CharField(widget=HiddenInput())
+
+    def __init__(self, *args, label_suffix: str = "", initial, **kwargs):
+        super().__init__(*args, label_suffix=label_suffix, initial=initial, **kwargs)
+        self.fields["is_username_valid"].label = _(
+            "I confirm that %(username)s is my username on %(app)s"
+        ) % {"username": initial.get("username"), "app": initial.get("third_party_app")}

api/migrations/0002_apiclient_hmac_key.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2.3 on 2025-10-26 10:15
+
+from django.db import migrations, models
+
+import api.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("api", "0001_initial")]
+
+    operations = [
+        migrations.AddField(
+            model_name="apiclient",
+            name="hmac_key",
+            field=models.CharField(
+                default=api.models.get_hmac_key, max_length=128, verbose_name="HMAC Key"
+            ),
+        ),
+    ]

api/models.py

@@ -1,13 +1,20 @@
+import secrets
 from typing import Iterable
 
 from django.contrib.auth.models import Permission
 from django.db import models
+from django.db.models import Q
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 from django.utils.translation import pgettext_lazy
 
 from core.models import Group, User
 
 
+def get_hmac_key():
+    return secrets.token_hex(64)
+
+
 class ApiClient(models.Model):
     name = models.CharField(_("name"), max_length=64)
     owner = models.ForeignKey(
@@ -26,11 +33,10 @@ class ApiClient(models.Model):
         help_text=_("Specific permissions for this api client."),
         related_name="clients",
     )
+    hmac_key = models.CharField(_("HMAC Key"), max_length=128, default=get_hmac_key)
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
 
-    _perm_cache: set[str] | None = None
-
     class Meta:
         verbose_name = _("api client")
         verbose_name_plural = _("api clients")
@@ -38,33 +44,38 @@ class ApiClient(models.Model):
     def __str__(self):
         return self.name
 
+    @cached_property
+    def all_permissions(self) -> set[str]:
+        permissions = (
+            Permission.objects.filter(
+                Q(group__group__in=self.groups.all()) | Q(clients=self)
+            )
+            .values_list("content_type__app_label", "codename")
+            .order_by()
+        )
+        return {f"{content_type}.{name}" for content_type, name in permissions}
+
     def has_perm(self, perm: str):
         """Return True if the client has the specified permission."""
+        return perm in self.all_permissions
 
-        if self._perm_cache is None:
+    def has_perms(self, perm_list: Iterable[str]) -> bool:
-            group_permissions = (
+        """Return True if the client has each of the specified permissions."""
-                Permission.objects.filter(group__group__in=self.groups.all())
-                .values_list("content_type__app_label", "codename")
-                .order_by()
-            )
-            client_permissions = self.client_permissions.values_list(
-                "content_type__app_label", "codename"
-            ).order_by()
-            self._perm_cache = {
-                f"{content_type}.{name}"
-                for content_type, name in (*group_permissions, *client_permissions)
-            }
-        return perm in self._perm_cache
-
-    def has_perms(self, perm_list):
-        """
-        Return True if the client has each of the specified permissions. If
-        object is passed, check if the client has all required perms for it.
-        """
         if not isinstance(perm_list, Iterable) or isinstance(perm_list, str):
             raise ValueError("perm_list must be an iterable of permissions.")
         return all(self.has_perm(perm) for perm in perm_list)
 
+    def reset_hmac(self, *, commit: bool = True) -> str:
+        """Reset and return the HMAC key for this client.
+
+        Args:
+            commit: if True (the default), persist the new hmac in db.
+        """
+        self.hmac_key = get_hmac_key()
+        if commit:
+            self.save()
+        return self.hmac_key
+
 
 class ApiKey(models.Model):
     PREFIX_LENGTH = 5

api/schemas.py

@@ -0,0 +1,23 @@
+from ninja import ModelSchema, Schema
+from pydantic import Field, HttpUrl
+
+from api.models import ApiClient
+from core.schemas import SimpleUserSchema
+
+
+class ApiClientSchema(ModelSchema):
+    class Meta:
+        model = ApiClient
+        fields = ["id", "name"]
+
+    owner: SimpleUserSchema
+    permissions: list[str] = Field(alias="all_permissions")
+
+
+class ThirdPartyAuthParamsSchema(Schema):
+    client_id: int
+    third_party_app: str
+    privacy_link: HttpUrl
+    username: str
+    callback_url: HttpUrl
+    signature: str

api/templates/api/third_party/auth.jinja

@@ -0,0 +1,32 @@
+{% extends "core/base.jinja" %}
+
+{% block content %}
+  <form method="post">
+    {% csrf_token %}
+    <h3>{% trans %}Confidentiality{% endtrans %}</h3>
+    <p>
+      {% trans trimmed app=third_party_app %}
+        By ticking this box and clicking on the send button, you
+        acknowledge and agree to provide {{ app }} with your
+        first name, last name, nickname and any other information
+        that was the third party app was explicitly authorized to fetch
+        and that it must have acknowledged to you, in a complete and accurate manner.
+      {% endtrans %}
+    </p>
+    <p class="margin-bottom">
+      {% trans trimmed app=third_party_app, privacy_link=third_party_cgu, sith_cgu_link=sith_cgu %}
+        The privacy policies of <a href="{{ privacy_link }}">{{ app }}</a>
+        and of <a href="{{ sith_cgu_link }}">the Students' Association</a>
+        applies as soon as the form is submitted.
+      {% endtrans %}
+    </p>
+    <div class="row">{{ form.cgu_accepted }} {{ form.cgu_accepted.label_tag() }}</div>
+    <br>
+    <h3 class="margin-bottom">{% trans %}Confirmation of identity{% endtrans %}</h3>
+    <div class="row margin-bottom">
+      {{ form.is_username_valid }} {{ form.is_username_valid.label_tag() }}
+    </div>
+    {% for field in form.hidden_fields() %}{{ field }}{% endfor %}
+    <input type="submit" class="btn btn-blue">
+  </form>
+{% endblock %}

api/tests/test_admin.py

@@ -0,0 +1,24 @@
+import pytest
+from django.contrib.admin import AdminSite
+from django.http import HttpRequest
+from model_bakery import baker
+from pytest_django.asserts import assertNumQueries
+
+from api.admin import ApiClientAdmin
+from api.models import ApiClient
+
+
+@pytest.mark.django_db
+def test_reset_hmac_action():
+    client_admin = ApiClientAdmin(ApiClient, AdminSite())
+    api_clients = baker.make(ApiClient, _quantity=4, _bulk_create=True)
+    old_hmac_keys = [c.hmac_key for c in api_clients]
+    with assertNumQueries(2):
+        qs = ApiClient.objects.filter(id__in=[c.id for c in api_clients[2:4]])
+        client_admin.reset_hmac_key(HttpRequest(), qs)
+    for c in api_clients:
+        c.refresh_from_db()
+    assert api_clients[0].hmac_key == old_hmac_keys[0]
+    assert api_clients[1].hmac_key == old_hmac_keys[1]
+    assert api_clients[2].hmac_key != old_hmac_keys[2]
+    assert api_clients[3].hmac_key != old_hmac_keys[3]

api/tests/test_api_client_controller.py

@@ -0,0 +1,18 @@
+import pytest
+from django.test import Client
+from django.urls import reverse
+from model_bakery import baker
+
+from api.hashers import generate_key
+from api.models import ApiClient, ApiKey
+from api.schemas import ApiClientSchema
+
+
+@pytest.mark.django_db
+def test_api_client_controller(client: Client):
+    key, hashed = generate_key()
+    api_client = baker.make(ApiClient)
+    baker.make(ApiKey, client=api_client, hashed_key=hashed)
+    res = client.get(reverse("api:api-client-infos"), headers={"X-APIKey": key})
+    assert res.status_code == 200
+    assert res.json() == ApiClientSchema.from_orm(api_client).model_dump()

api/tests/test_client.py

@@ -0,0 +1,59 @@
+import pytest
+from django.contrib.auth.models import Permission
+from django.test import TestCase
+from model_bakery import baker
+
+from api.models import ApiClient
+from core.models import Group
+
+
+class TestClientPermissions(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.api_client = baker.make(ApiClient)
+        cls.perms = baker.make(Permission, _quantity=10, _bulk_create=True)
+        cls.api_client.groups.set(
+            [
+                baker.make(Group, permissions=cls.perms[0:3]),
+                baker.make(Group, permissions=cls.perms[3:5]),
+            ]
+        )
+        cls.api_client.client_permissions.set(
+            [cls.perms[3], cls.perms[5], cls.perms[6], cls.perms[7]]
+        )
+
+    def test_all_permissions(self):
+        assert self.api_client.all_permissions == {
+            f"{p.content_type.app_label}.{p.codename}" for p in self.perms[0:8]
+        }
+
+    def test_has_perm(self):
+        assert self.api_client.has_perm(
+            f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}"
+        )
+        assert not self.api_client.has_perm(
+            f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}"
+        )
+
+    def test_has_perms(self):
+        assert self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[2].content_type.app_label}.{self.perms[2].codename}",
+            ]
+        )
+        assert not self.api_client.has_perms(
+            [
+                f"{self.perms[1].content_type.app_label}.{self.perms[1].codename}",
+                f"{self.perms[9].content_type.app_label}.{self.perms[9].codename}",
+            ],
+        )
+
+
+@pytest.mark.django_db
+def test_reset_hmac_key():
+    client = baker.make(ApiClient)
+    original_key = client.hmac_key
+    client.reset_hmac(commit=True)
+    assert len(client.hmac_key) == len(original_key)
+    assert client.hmac_key != original_key

api/tests/test_third_party_auth.py

@@ -0,0 +1,114 @@
+from unittest import mock
+from unittest.mock import Mock
+
+from django.db.models import Max
+from django.test import TestCase
+from django.urls import reverse
+from model_bakery import baker
+from pytest_django.asserts import assertRedirects
+
+from api.models import ApiClient, get_hmac_key
+from core.baker_recipes import subscriber_user
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+def mocked_post(*, ok: bool):
+    class MockedResponse(Mock):
+        @property
+        def ok(self):
+            return ok
+
+    def mocked():
+        return MockedResponse()
+
+    return mocked
+
+
+class TestThirdPartyAuth(TestCase):
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = subscriber_user.make()
+        cls.api_client = baker.make(ApiClient)
+
+    def setUp(self):
+        self.query = {
+            "client_id": self.api_client.id,
+            "third_party_app": "app",
+            "privacy_link": "https://foobar.fr/",
+            "username": "bibou",
+            "callback_url": "https://callback.fr/",
+        }
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        self.callback_data = {
+            "user": UserProfileSchema.from_orm(self.user).model_dump()
+        }
+        self.callback_data["signature"] = hmac_hexdigest(
+            self.api_client.hmac_key, self.callback_data["user"]
+        )
+
+    def test_auth_ok(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        with mock.patch("requests.post", new_callable=mocked_post(ok=True)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "success"}),
+        )
+
+    def test_callback_error(self):
+        """Test that the user see the failure page if the callback request failed."""
+        self.client.force_login(self.user)
+        with mock.patch("requests.post", new_callable=mocked_post(ok=False)) as mocked:
+            res = self.client.post(
+                reverse("api-link:third-party-auth"),
+                data={"cgu_accepted": True, "is_username_valid": True, **self.query},
+            )
+            mocked.assert_called_once_with(
+                self.query["callback_url"], json=self.callback_data
+            )
+        assertRedirects(
+            res,
+            reverse("api-link:third-party-auth-result", kwargs={"result": "failure"}),
+        )
+
+    def test_wrong_signature(self):
+        """Test that a 403 is raised if the signature of the query is wrong."""
+        self.client.force_login(subscriber_user.make())
+        new_key = get_hmac_key()
+        del self.query["signature"]
+        self.query["signature"] = hmac_hexdigest(new_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_cgu_not_accepted(self):
+        self.client.force_login(self.user)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 200
+        res = self.client.post(reverse("api-link:third-party-auth"), data=self.query)
+        assert res.status_code == 200  # no redirect means invalid form
+        res = self.client.post(
+            reverse("api-link:third-party-auth"),
+            data={"cgu_accepted": False, "is_username_valid": False, **self.query},
+        )
+        assert res.status_code == 200
+
+    def test_invalid_client(self):
+        self.query["client_id"] = ApiClient.objects.aggregate(res=Max("id"))["res"] + 1
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403
+
+    def test_missing_parameter(self):
+        """Test that a 403 is raised if there is a missing parameter."""
+        del self.query["username"]
+        self.query["signature"] = hmac_hexdigest(self.api_client.hmac_key, self.query)
+        res = self.client.get(reverse("api-link:third-party-auth", query=self.query))
+        assert res.status_code == 403

api/urls.py

@@ -1,6 +1,10 @@
+from django.urls import path, register_converter
 from ninja.security import SessionAuth
 from ninja_extra import NinjaExtraAPI
 
+from api.views import ThirdPartyAuthResultView, ThirdPartyAuthView
+from core.converters import ResultConverter
+
 api = NinjaExtraAPI(
     title="PICON",
     description="Portail Interactif de Communication avec les Outils Numériques",
@@ -9,3 +13,14 @@ api = NinjaExtraAPI(
     auth=[SessionAuth()],
 )
 api.auto_discover_controllers()
+
+register_converter(ResultConverter, "res")
+
+urlpatterns = [
+    path("auth/", ThirdPartyAuthView.as_view(), name="third-party-auth"),
+    path(
+        "auth/<res:result>/",
+        ThirdPartyAuthResultView.as_view(),
+        name="third-party-auth-result",
+    ),
+]

api/views.py

@@ -0,0 +1,119 @@
+import hmac
+from urllib.parse import unquote
+
+import pydantic
+import requests
+from django.conf import settings
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
+from django.urls import reverse, reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import FormView, TemplateView
+from ninja_extra.shortcuts import get_object_or_none
+
+from api.forms import ThirdPartyAuthForm
+from api.models import ApiClient
+from api.schemas import ThirdPartyAuthParamsSchema
+from core.models import SithFile
+from core.schemas import UserProfileSchema
+from core.utils import hmac_hexdigest
+
+
+class ThirdPartyAuthView(LoginRequiredMixin, FormView):
+    form_class = ThirdPartyAuthForm
+    template_name = "api/third_party/auth.jinja"
+    success_url = reverse_lazy("core:index")
+
+    def parse_params(self) -> ThirdPartyAuthParamsSchema:
+        """Parse and check the authentication parameters.
+
+        Raises:
+            PermissionDenied: if the verification failed.
+        """
+        # This is here rather than in ThirdPartyAuthForm because
+        # the given parameters and their signature are checked during both
+        # POST (for obvious reasons) and GET (in order not to make
+        # the user fill a form just to get an error he won't understand)
+        params = self.request.GET or self.request.POST
+        params = {key: unquote(val) for key, val in params.items()}
+        try:
+            params = ThirdPartyAuthParamsSchema(**params)
+        except pydantic.ValidationError as e:
+            raise PermissionDenied("Wrong data format") from e
+        client: ApiClient = get_object_or_none(ApiClient, id=params.client_id)
+        if not client:
+            raise PermissionDenied
+        if not hmac.compare_digest(
+            hmac_hexdigest(client.hmac_key, params.model_dump(exclude={"signature"})),
+            params.signature,
+        ):
+            raise PermissionDenied("Bad signature")
+        return params
+
+    def dispatch(self, request, *args, **kwargs):
+        self.params = self.parse_params()
+        return super().dispatch(request, *args, **kwargs)
+
+    def get(self, *args, **kwargs):
+        messages.warning(
+            self.request,
+            _(
+                "You are going to link your AE account and your %(app)s account. "
+                "Continue only if this page was opened from %(app)s."
+            )
+            % {"app": self.params.third_party_app},
+        )
+        return super().get(*args, **kwargs)
+
+    def get_initial(self):
+        return self.params.model_dump()
+
+    def form_valid(self, form):
+        client = ApiClient.objects.get(id=form.cleaned_data["client_id"])
+        user = UserProfileSchema.from_orm(self.request.user).model_dump()
+        data = {"user": user, "signature": hmac_hexdigest(client.hmac_key, user)}
+        response = requests.post(form.cleaned_data["callback_url"], json=data)
+        self.success_url = reverse(
+            "api-link:third-party-auth-result",
+            kwargs={"result": "success" if response.ok else "failure"},
+        )
+        return super().form_valid(form)
+
+    def get_context_data(self, **kwargs):
+        return super().get_context_data(**kwargs) | {
+            "third_party_app": self.params.third_party_app,
+            "third_party_cgu": self.params.privacy_link,
+            "sith_cgu": SithFile.objects.get(id=settings.SITH_CGU_FILE_ID),
+        }
+
+
+class ThirdPartyAuthResultView(LoginRequiredMixin, TemplateView):
+    """View that the user will see if its authentication on sith was successful.
+
+    This can show either a success or a failure message :
+    - success : everything is good, the user is successfully authenticated
+      and can close the page
+    - failure : the authentication has been processed on the sith side,
+      but the request to the callback url received an error.
+      In such a case, there is nothing much we can do but to advice
+      the user to contact the developers of the third-party app.
+    """
+
+    template_name = "core/base.jinja"
+    success_message = _(
+        "You have been successfully authenticated. You can now close this page."
+    )
+    error_message = _(
+        "Your authentication on the AE website was successful, "
+        "but an error happened during the interaction "
+        "with the third-party application. "
+        "Please contact the managers of the latter."
+    )
+
+    def get(self, request, *args, **kwargs):
+        if self.kwargs.get("result") == "success":
+            messages.success(request, self.success_message)
+        else:
+            messages.error(request, self.error_message)
+        return super().get(request, *args, **kwargs)

biome.json

@@ -7,7 +7,7 @@
   },
   "files": {
     "ignoreUnknown": false,
-    "includes": ["**/static/**"]
+    "includes": ["**/static/**", "vite.config.mts"]
   },
   "formatter": {
     "enabled": true,

com/views.py

@@ -244,9 +244,8 @@ class NewsListView(TemplateView):
             .filter(
                 date_of_birth__month=localdate().month,
                 date_of_birth__day=localdate().day,
-                is_viewable=True,
+                role__in=["STUDENT", "FORMER STUDENT"],
             )
-            .filter(role__in=["STUDENT", "FORMER STUDENT"])
             .order_by("-date_of_birth"),
             key=lambda u: u.date_of_birth.year,
         )

core/admin.py

@@ -63,6 +63,7 @@ class UserAdmin(admin.ModelAdmin):
         "scrub_pict",
         "user_permissions",
         "groups",
+        "whitelisted_users",
     )
     inlines = (UserBanInline,)
     search_fields = ["first_name", "last_name", "username"]

core/converters.py

@@ -1,19 +1,16 @@
-class FourDigitYearConverter:
+from django.urls.converters import IntConverter, StringConverter
-    regex = "[0-9]{4}"
 
-    def to_python(self, value):
+
-        return int(value)
+class FourDigitYearConverter(IntConverter):
+    regex = "[0-9]{4}"
 
     def to_url(self, value):
         return str(value).zfill(4)
 
 
-class TwoDigitMonthConverter:
+class TwoDigitMonthConverter(IntConverter):
     regex = "[0-9]{2}"
 
-    def to_python(self, value):
-        return int(value)
-
     def to_url(self, value):
         return str(value).zfill(2)
 
@@ -28,3 +25,9 @@ class BooleanStringConverter:
 
     def to_url(self, value):
         return str(value)
+
+
+class ResultConverter(StringConverter):
+    """Converter whose regex match either "success" or "failure"."""
+
+    regex = "(success|failure)"

core/management/commands/populate.py

@@ -28,6 +28,7 @@ from typing import ClassVar, NamedTuple
 from django.conf import settings
 from django.contrib.auth.models import Permission
 from django.contrib.sites.models import Site
+from django.core.files.base import ContentFile
 from django.core.management import call_command
 from django.core.management.base import BaseCommand
 from django.db import connection
@@ -104,19 +105,31 @@ class Command(BaseCommand):
         )
         self.profiles_root = SithFile.objects.create(name="profiles", owner=root)
         home_root = SithFile.objects.create(name="users", owner=root)
+        club_root = SithFile.objects.create(name="clubs", owner=root)
+        sas = SithFile.objects.create(name="SAS", owner=root)
+        SithFile.objects.create(
+            name="CGU",
+            is_folder=False,
+            file=ContentFile(
+                content="Conditions générales d'utilisation", name="cgu.txt"
+            ),
+            owner=root,
+        )
 
         # Page needed for club creation
         p = Page(name=settings.SITH_CLUB_ROOT_PAGE)
         p.save(force_lock=True)
 
-        club_root = SithFile.objects.create(name="clubs", owner=root)
-        sas = SithFile.objects.create(name="SAS", owner=root)
         main_club = Club.objects.create(
             id=1, name="AE", address="6 Boulevard Anatole France, 90000 Belfort"
         )
         main_club.board_group.permissions.add(
             *Permission.objects.filter(
-                codename__in=["view_subscription", "add_subscription"]
+                codename__in=[
+                    "view_subscription",
+                    "add_subscription",
+                    "view_hidden_user",
+                ]
             )
         )
         bar_club = Club.objects.create(

core/management/commands/populate_more.py

@@ -1,3 +1,4 @@
+import math
 import random
 from datetime import date, timedelta
 from datetime import timezone as tz
@@ -34,12 +35,17 @@ class Command(BaseCommand):
         super().__init__(*args, **kwargs)
         self.faker = Faker("fr_FR")
 
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-n", "--nb-users", help="Number of users to create", type=int, default=600
+        )
+
     def handle(self, *args, **options):
         if not settings.DEBUG:
             raise Exception("Never call this command in prod. Never.")
 
         self.stdout.write("Creating users...")
-        users = self.create_users()
+        users = self.create_users(options["nb_users"])
         self.create_bans(random.sample(users, k=len(users) // 200))  # 0.5% of users
         subscribers = random.sample(users, k=int(0.8 * len(users)))
         self.stdout.write("Creating subscriptions...")
@@ -79,7 +85,7 @@ class Command(BaseCommand):
         self.stdout.write("Creating products...")
         self.create_products()
         self.stdout.write("Creating sales and refills...")
-        sellers = random.sample(list(User.objects.all()), 100)
+        sellers = random.sample(users, len(users) // 10)
         self.create_sales(sellers)
         self.stdout.write("Creating permanences...")
         self.create_permanences(sellers)
@@ -88,7 +94,7 @@ class Command(BaseCommand):
 
         self.stdout.write("Done")
 
-    def create_users(self) -> list[User]:
+    def create_users(self, nb_users: int = 600) -> list[User]:
         # Create a single password hash for all users to make it faster.
         # It's insecure as hell, but it's ok since it's only for dev purposes.
         password = make_password("plop")
@@ -107,7 +113,7 @@ class Command(BaseCommand):
                 address=self.faker.address(),
                 password=password,
             )
-            for _ in range(600)
+            for _ in range(nb_users)
         ]
         # there may a duplicate or two
         # Not a problem, we will just have 599 users instead of 600
@@ -410,8 +416,9 @@ class Command(BaseCommand):
         Permanency.objects.bulk_create(perms)
 
     def create_forums(self):
-        forumers = random.sample(list(User.objects.all()), 100)
+        users = list(User.objects.all())
-        most_actives = random.sample(forumers, 10)
+        forumers = random.sample(users, math.ceil(len(users) / 10))
+        most_actives = random.sample(forumers, math.ceil(len(forumers) / 6))
         categories = list(Forum.objects.filter(is_category=True))
         new_forums = [
             Forum(name=self.faker.text(20), parent=random.choice(categories))

core/migrations/0049_user_whitelisted_users.py

@@ -0,0 +1,37 @@
+# Generated by Django 5.2.12 on 2026-03-14 08:39
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [("core", "0048_alter_user_options")]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="whitelisted_users",
+            field=models.ManyToManyField(
+                blank=True,
+                help_text=(
+                    "Even if this profile is hidden, "
+                    "the users in this list will still be able to see it."
+                ),
+                related_name="visible_by_whitelist",
+                to=settings.AUTH_USER_MODEL,
+                verbose_name="whitelisted users",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="preferences",
+            name="show_my_stats",
+            field=models.BooleanField(
+                default=False,
+                help_text=(
+                    "Allow subscribers (or whitelisted users "
+                    "if your profile is hidden) to access your AE account stats."
+                ),
+                verbose_name="show your stats to others",
+            ),
+        ),
+    ]

core/models.py

@@ -131,7 +131,7 @@ class UserQuerySet(models.QuerySet):
         if user.has_perm("core.view_hidden_user"):
             return self
         if user.has_perm("core.view_user"):
-            return self.filter(is_viewable=True)
+            return self.filter(Q(is_viewable=True) | Q(whitelisted_users=user))
         if user.is_anonymous:
             return self.none()
         return self.filter(id=user.id)
@@ -279,6 +279,16 @@ class User(AbstractUser):
         ),
         default=True,
     )
+    whitelisted_users = models.ManyToManyField(
+        "User",
+        related_name="visible_by_whitelist",
+        verbose_name=_("whitelisted users"),
+        help_text=_(
+            "Even if this profile is hidden, "
+            "the users in this list will still be able to see it."
+        ),
+        blank=True,
+    )
     godfathers = models.ManyToManyField("User", related_name="godchildren", blank=True)
 
     objects = CustomUserManager()
@@ -518,7 +528,7 @@ class User(AbstractUser):
         self.username = user_name
         return user_name
 
-    def is_owner(self, obj):
+    def is_owner(self, obj: models.Model):
         """Determine if the object is owned by the user."""
         if hasattr(obj, "is_owned_by") and obj.is_owned_by(self):
             return True
@@ -526,7 +536,7 @@ class User(AbstractUser):
             return True
         return self.is_root
 
-    def can_edit(self, obj):
+    def can_edit(self, obj: models.Model):
         """Determine if the object can be edited by the user."""
         if hasattr(obj, "can_be_edited_by") and obj.can_be_edited_by(self):
             return True
@@ -540,11 +550,9 @@ class User(AbstractUser):
                 pks = list(obj.edit_groups.values_list("id", flat=True))
             if any(self.is_in_group(pk=pk) for pk in pks):
                 return True
-        if isinstance(obj, User) and obj == self:
-            return True
         return self.is_owner(obj)
 
-    def can_view(self, obj):
+    def can_view(self, obj: models.Model):
         """Determine if the object can be viewed by the user."""
         if hasattr(obj, "can_be_viewed_by") and obj.can_be_viewed_by(self):
             return True
@@ -563,14 +571,35 @@ class User(AbstractUser):
                 return True
         return self.can_edit(obj)
 
-    def can_be_edited_by(self, user):
+    def can_be_edited_by(self, user: User):
-        return user.is_root or user.is_board_member
+        return user == self or user.is_root or user.is_board_member
 
     def can_be_viewed_by(self, user: User) -> bool:
+        """Check if the given user can be viewed by this user.
+
+        Given users A and B. A can be viewed by B if :
+
+        - A and B are the same user
+        - or B has the permission to view hidden users
+        - or B can view users in general and A didn't hide its profile
+        - or B is in A's whitelist.
+        """
+
+        def is_in_whitelist(u: User):
+            if (
+                hasattr(self, "_prefetched_objects_cache")
+                and "whitelisted_users" in self._prefetched_objects_cache
+            ):
+                return u in self.whitelisted_users.all()
+            return self.whitelisted_users.contains(u)
+
         return (
             user.id == self.id
             or user.has_perm("core.view_hidden_user")
-            or (user.has_perm("core.view_user") and self.is_viewable)
+            or (
+                user.has_perm("core.view_user")
+                and (self.is_viewable or is_in_whitelist(user))
+            )
         )
 
     def get_mini_item(self):
@@ -750,7 +779,14 @@ class Preferences(models.Model):
         User, related_name="_preferences", on_delete=models.CASCADE
     )
     receive_weekmail = models.BooleanField(_("receive the Weekmail"), default=False)
-    show_my_stats = models.BooleanField(_("show your stats to others"), default=False)
+    show_my_stats = models.BooleanField(
+        _("show your stats to others"),
+        help_text=_(
+            "Allow subscribers (or whitelisted users "
+            "if your profile is hidden) to access your AE account stats."
+        ),
+        default=False,
+    )
     notify_on_click = models.BooleanField(
         _("get a notification for every click"), default=False
     )

core/static/bundled/core/components/nfc-input-index.ts

@@ -26,7 +26,6 @@ export class NfcInput extends inheritHtmlElement("input") {
         window.alert(gettext("Unsupported NFC card"));
       });
 
-      // biome-ignore lint/correctness/noUndeclaredVariables: browser API
       ndef.addEventListener("reading", (event: NDEFReadingEvent) => {
         this.removeAttribute("scan");
         this.node.value = event.serialNumber.replace(/:/g, "").toUpperCase();

core/static/core/forms.scss

@@ -141,7 +141,6 @@ form {
   display: block;
   margin: calc(var(--nf-input-size) * 1.5) auto 10px;
   line-height: 1;
-  white-space: nowrap;
 
   .fields-centered {
     padding: 10px 10px 0;
@@ -157,6 +156,7 @@ form {
     margin-bottom: .25rem;
     font-size: 80%;
     display: block;
+    max-width: calc(100% - calc(var(--nf-input-size) * 2))
   }
 
   fieldset {

core/static/user/user_edit.scss

@@ -5,17 +5,6 @@
 }
 
 .profile {
-  &-visible {
-    display: flex;
-    flex-direction: column;
-    align-items: center;
-    gap: 5px;
-    padding-top: 10px;
-    input[type="checkbox"]+label {
-      max-width: unset;
-    }
-  }
-
   &-pictures {
     box-sizing: border-box;
     display: flex;

core/static/user/user_preferences.scss

@@ -19,28 +19,6 @@
       }
     }
   }
-
-  &-cards,
-  &-trombi {
-    >p {
-      display: flex;
-      flex-direction: column;
-      align-items: flex-start;
-      text-align: justify;
-      gap: 5px;
-      margin: 0;
-
-      >input,
-      >select {
-        min-width: 300px;
-      }
-    }
-  }
-
-  &-submit-btn {
-    margin-top: 10px !important;
-    max-width: 100px;
-  }
 }
 
 .justify {

core/templates/core/base/notifications.jinja

@@ -1,14 +1,11 @@
 <div id="quick-notifications"
      x-data="{
              messages: [
-             {% if messages %}
+             {%- for message in messages -%}
-               {% for message in messages %}
+               {%- if not message.extra_tags -%}
-                 {
+                 { tag: '{{ message.tags }}', text: '{{ message }}' },
-                 tag: '{{ message.tags }}',
+               {%- endif -%}
-                 text: '{{ message }}',
+             {%- endfor -%}
-                 },
-               {% endfor %}
-             {% endif %}
              ]
              }"
      @quick-notification-add="(e) => messages.push(e?.detail)"

core/templates/core/fragment/user_visibility.jinja

@@ -0,0 +1,33 @@
+<form
+  hx-post="{{ url("core:user_visibility_fragment", user_id=form.instance.id) }}"
+  hx-disabled-elt="find input[type='submit']"
+  hx-swap="outerHTML" x-data="{ isViewable: {{ form.is_viewable.value()|tojson }} }"
+>
+  {% for message in messages %}
+    {% if message.extra_tags=="visibility" %}
+      <div class="alert alert-success">
+        {{ message }}
+      </div>
+    {% endif %}
+  {% endfor %}
+  {% csrf_token %}
+  {{ form.non_field_errors() }}
+  <fieldset class="form-group">
+    {{ form.is_viewable|add_attr("x-model=isViewable") }}
+    {{ form.is_viewable.label_tag() }}
+    <span class="helptext">{{ form.is_viewable.help_text }}</span>
+    {{ form.is_viewable.errors }}
+  </fieldset>
+  <fieldset class="form-group" x-show="!isViewable">
+    {{ form.whitelisted_users.as_field_group() }}
+  </fieldset>
+  <fieldset class="form-group">
+    {{ form.show_my_stats }}
+    {{ form.show_my_stats.label_tag() }}
+    <span class="helptext">
+      {{ form.show_my_stats.help_text }}
+    </span>
+    {{ form.show_my_stats.errors }}
+  </fieldset>
+  <input type="submit" class="btn btn-blue" value="{% trans %}Save{% endtrans %}">
+</form>

core/templates/core/user_edit.jinja

@@ -147,18 +147,7 @@
       {%- endfor -%}
     </div>
 
-    {# Checkboxes #}
-    <div class="profile-visible">
-      <div class="row">
-        {{ form.is_viewable }}
-        {{ form.is_viewable.label_tag() }}
-      </div>
-      <span class="helptext">
-        {{ form.is_viewable.help_text }}
-      </span>
-    </div>
     <div class="final-actions">
-
       {%- if form.instance == user -%}
         <p>
           <a href="{{ url('core:password_change') }}">{%- trans -%}Change my password{%- endtrans -%}</a>
@@ -170,7 +159,6 @@
           </a>
         </p>
       {%- endif -%}
-
       <p>
         <input type="submit" value="{%- trans -%}Update{%- endtrans -%}" />
       </p>

core/templates/core/user_preferences.jinja

@@ -1,7 +1,14 @@
 {% extends "core/base.jinja" %}
 
+{%- block additional_js -%}
+  <script type="module" src="{{ static("bundled/core/components/ajax-select-index.ts") }}"></script>
+{%- endblock -%}
+
 {%- block additional_css -%}
   <link rel="stylesheet" href="{{ static('user/user_preferences.scss') }}">
+  {# importing ajax-select-index is necessary for it to be applied after HTMX reload #}
+  <link rel="stylesheet" href="{{ static("bundled/core/components/ajax-select-index.css") }}">
+  <link rel="stylesheet" href="{{ static("core/components/ajax-select.scss") }}">
 {%- endblock -%}
 
 {% block title %}
@@ -11,30 +18,22 @@
 {% block content %}
   <div class="main">
     <h2>{% trans %}Preferences{% endtrans %}</h2>
-    <h3>{% trans %}General{% endtrans %}</h3>
+    <br />
-    <form class="form form-general" action="" method="post" enctype="multipart/form-data">
+    <h3>{% trans %}Notifications{% endtrans %}</h3>
+    <form action="" method="post" enctype="multipart/form-data">
       {% csrf_token %}
-      {{ form.as_p() }}
+      <div class="form form-general">
-      <input class="form-submit-btn" type="submit" value="{% trans %}Save{% endtrans %}" />
+        {{ form.as_p() }}
+      </div>
+      <input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" />
     </form>
 
-    <h3>{% trans %}Trombi{% endtrans %}</h3>
+    <br />
-
+    <h3>{% trans %}Visibility{% endtrans %}</h3>
-    {% if trombi_form %}
-      <form class="form form-trombi" action="{{ url('trombi:user_tools') }}" method="post" enctype="multipart/form-data">
-        {% csrf_token %}
-        {{ trombi_form.as_p() }}
-        <input class="form-submit-btn" type="submit" value="{% trans %}Save{% endtrans %}" />
-      </form>
-
-    {% else %}
-      <p>{% trans trombi=profile.trombi_user.trombi %}You already choose to be in that Trombi: {{ trombi }}.{% endtrans %}
-        <br />
-        <a href="{{ url('trombi:user_tools') }}">{% trans %}Go to my Trombi tools{% endtrans %}</a>
-      </p>
-    {% endif %}
 
+    {{ user_visibility_fragment }}
 
+    <br />
     {% if student_card_fragment %}
       <h3>{% trans %}Student card{% endtrans %}</h3>
       {{ student_card_fragment }}
@@ -43,5 +42,21 @@
           add a student card yourself, you'll need a NFC reader. We store the UID of the card which is 14 characters long.{% endtrans %}
       </p>
     {% endif %}
+
+    <br />
+    <h3>{% trans %}Trombi{% endtrans %}</h3>
+
+    {% if trombi_form %}
+      <form action="{{ url('trombi:user_tools') }}" method="post" enctype="multipart/form-data">
+        {% csrf_token %}
+        {{ trombi_form.as_p() }}
+        <input class="btn btn-blue" type="submit" value="{% trans %}Save{% endtrans %}" />
+      </form>
+    {% else %}
+      <p>{% trans trombi=profile.trombi_user.trombi %}You already choose to be in that Trombi: {{ trombi }}.{% endtrans %}
+        <br />
+        <a href="{{ url('trombi:user_tools') }}">{% trans %}Go to my Trombi tools{% endtrans %}</a>
+      </p>
+    {% endif %}
   </div>
 {% endblock %}

core/tests/test_commands.py

@@ -0,0 +1,13 @@
+import contextlib
+import os
+
+import pytest
+from django.core.management import call_command
+
+
+@pytest.mark.django_db
+def test_populate_more(settings):
+    """Just check that populate more doesn't crash"""
+    settings.DEBUG = True
+    with open(os.devnull, "w") as devnull, contextlib.redirect_stdout(devnull):
+        call_command("populate_more", "--nb-users", "50")

core/tests/test_user.py

@@ -399,13 +399,12 @@ class TestUserQuerySetViewableBy:
         return [
             baker.make(User),
             subscriber_user.make(),
-            subscriber_user.make(is_viewable=False),
+            *subscriber_user.make(is_viewable=False, _quantity=2),
         ]
 
     def test_admin_user(self, users: list[User]):
         user = baker.make(
-            User,
+            User, user_permissions=[Permission.objects.get(codename="view_hidden_user")]
-            user_permissions=[Permission.objects.get(codename="view_hidden_user")],
         )
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
         assert set(viewable) == set(users)
@@ -418,6 +417,12 @@ class TestUserQuerySetViewableBy:
         viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
         assert set(viewable) == {users[0], users[1]}
 
+    def test_whitelist(self, users: list[User]):
+        user = subscriber_user.make()
+        users[3].whitelisted_users.add(user)
+        viewable = User.objects.filter(id__in=[u.id for u in users]).viewable_by(user)
+        assert set(viewable) == {users[0], users[1], users[3]}
+
     @pytest.mark.parametrize("user_factory", [lambda: baker.make(User), AnonymousUser])
     def test_not_subscriber(self, users: list[User], user_factory):
         user = user_factory()

core/urls.py

@@ -69,7 +69,6 @@ from core.views import (
     UserCreationView,
     UserGodfathersTreeView,
     UserGodfathersView,
-    UserListView,
     UserMeRedirect,
     UserMiniView,
     UserPreferencesView,
@@ -78,6 +77,7 @@ from core.views import (
     UserUpdateGroupView,
     UserUpdateProfileView,
     UserView,
+    UserVisibilityFormFragment,
     delete_user_godfather,
     logout,
     notification,
@@ -136,7 +136,11 @@ urlpatterns = [
         "group/<int:group_id>/detail/", GroupTemplateView.as_view(), name="group_detail"
     ),
     # User views
-    path("user/", UserListView.as_view(), name="user_list"),
+    path(
+        "fragment/user/<int:user_id>/",
+        UserVisibilityFormFragment.as_view(),
+        name="user_visibility_fragment",
+    ),
     path(
         "user/me/<path:remaining_path>/",
         UserMeRedirect.as_view(),

core/utils.py

@@ -12,22 +12,32 @@
 # OR WITHIN THE LOCAL FILE "LICENSE"
 #
 #
+from __future__ import annotations
 
+import hmac
 from datetime import date, timedelta
 
 # Image utils
 from io import BytesIO
-from typing import Final
+from typing import TYPE_CHECKING
+from urllib.parse import urlencode
 
 import PIL
 from django.conf import settings
 from django.core.files.base import ContentFile
-from django.core.files.uploadedfile import UploadedFile
-from django.http import HttpRequest
 from django.utils.timezone import localdate
 from PIL import ExifTags
 from PIL.Image import Image, Resampling
 
+if TYPE_CHECKING:
+    from _hashlib import HASH
+    from collections.abc import Buffer, Mapping, Sequence
+    from typing import Any, Callable, Final
+
+    from django.core.files.uploadedfile import UploadedFile
+    from django.http import HttpRequest
+
+
 RED_PIXEL_PNG: Final[bytes] = (
     b"\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52"
     b"\x00\x00\x00\x01\x00\x00\x00\x01\x08\x02\x00\x00\x00\x90\x77\x53"
@@ -205,3 +215,30 @@ def get_client_ip(request: HttpRequest) -> str | None:
             return ip
 
     return None
+
+
+def hmac_hexdigest(
+    key: str | bytes,
+    data: Mapping[str, Any] | Sequence[tuple[str, Any]],
+    digest: str | Callable[[Buffer], HASH] = "sha512",
+) -> str:
+    """Return the hexdigest of the signature of the given data.
+
+    Args:
+        key: the HMAC key used for the signature
+        data: the data to sign
+        digest: a PEP247 hashing algorithm (by default, sha512)
+
+    Examples:
+        ```python
+        data = {
+            "foo": 5,
+            "bar": "somevalue",
+        }
+        hmac_key = secrets.token_hex(64)
+        signature = hmac_hexdigest(hmac_key, data, "sha256")
+        ```
+    """
+    if isinstance(key, str):
+        key = key.encode()
+    return hmac.digest(key, urlencode(data).encode(), digest).hex()

core/views/forms.py

@@ -48,12 +48,13 @@ from phonenumber_field.widgets import RegionalPhoneNumberWidget
 from PIL import Image
 
 from antispam.forms import AntiSpamEmailField
-from core.models import Gift, Group, Page, PageRev, SithFile, User
+from core.models import Gift, Group, Page, PageRev, Preferences, SithFile, User
 from core.utils import resize_image
 from core.views.widgets.ajax_select import (
     AutoCompleteSelect,
     AutoCompleteSelectGroup,
     AutoCompleteSelectMultipleGroup,
+    AutoCompleteSelectMultipleUser,
     AutoCompleteSelectUser,
 )
 from core.views.widgets.markdown import MarkdownInput
@@ -179,7 +180,6 @@ class UserProfileForm(forms.ModelForm):
             "school",
             "promo",
             "forum_signature",
-            "is_viewable",
         ]
         widgets = {
             "date_of_birth": SelectDate,
@@ -264,6 +264,38 @@ class UserProfileForm(forms.ModelForm):
         self._post_clean()
 
 
+class UserVisibilityForm(forms.ModelForm):
+    class Meta:
+        model = User
+        fields = ["is_viewable", "whitelisted_users"]
+        widgets = {
+            "is_viewable": forms.CheckboxInput(attrs={"class": "switch"}),
+            "whitelisted_users": AutoCompleteSelectMultipleUser,
+        }
+
+    __preferences_fields = forms.fields_for_model(
+        Preferences,
+        ["show_my_stats"],
+        widgets={"show_my_stats": forms.CheckboxInput(attrs={"class": "switch"})},
+    )
+    show_my_stats = __preferences_fields["show_my_stats"]
+
+    def __init__(
+        self, *args, initial: dict | None = None, instance: User | None = None, **kwargs
+    ):
+        if instance:
+            initial = initial or {}
+            initial["show_my_stats"] = instance.preferences.show_my_stats
+        super().__init__(*args, initial=initial, instance=instance, **kwargs)
+
+    def save(self, commit=True) -> User:  # noqa: FBT002
+        instance = super().save(commit=commit)
+        if commit:
+            instance.preferences.show_my_stats = self.cleaned_data["show_my_stats"]
+            instance.preferences.save()
+        return instance
+
+
 class UserGroupsForm(forms.ModelForm):
     error_css_class = "error"
     required_css_class = "required"

core/views/user.py

@@ -28,10 +28,12 @@ from datetime import timedelta
 from operator import itemgetter
 from smtplib import SMTPException
 
+from django.contrib import messages
 from django.contrib.auth import login, views
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.forms import PasswordChangeForm, SetPasswordForm
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core.exceptions import PermissionDenied
 from django.db.models import DateField, F, QuerySet, Sum
 from django.db.models.functions import Trunc
@@ -48,7 +50,6 @@ from django.views.generic import (
     CreateView,
     DeleteView,
     DetailView,
-    ListView,
     RedirectView,
     TemplateView,
 )
@@ -65,8 +66,9 @@ from core.views.forms import (
     UserGodfathersForm,
     UserGroupsForm,
     UserProfileForm,
+    UserVisibilityForm,
 )
-from core.views.mixins import TabedViewMixin, UseFragmentsMixin
+from core.views.mixins import FragmentMixin, TabedViewMixin, UseFragmentsMixin
 from counter.models import Refilling, Selling
 from eboutic.models import Invoice
 from trombi.views import UserTrombiForm
@@ -248,14 +250,15 @@ class UserTabsMixin(TabedViewMixin):
                     "name": _("Groups"),
                 }
             )
-        if (
+        can_view_account = (
             hasattr(user, "customer")
             and user.customer
             and (
                 user == self.request.user
                 or self.request.user.has_perm("counter.view_customer")
             )
-        ):
+        )
+        if can_view_account or user.preferences.show_my_stats:
             tab_list.append(
                 {
                     "url": reverse("core:user_stats", kwargs={"user_id": user.id}),
@@ -263,6 +266,7 @@ class UserTabsMixin(TabedViewMixin):
                     "name": _("Stats"),
                 }
             )
+        if can_view_account:
             tab_list.append(
                 {
                     "url": reverse("core:user_account", kwargs={"user_id": user.id}),
@@ -349,7 +353,7 @@ class UserGodfathersTreeView(UserTabsMixin, CanViewMixin, DetailView):
         return kwargs
 
 
-class UserStatsView(UserTabsMixin, CanViewMixin, DetailView):
+class UserStatsView(UserTabsMixin, UserPassesTestMixin, DetailView):
     """Display a user's stats."""
 
     model = User
@@ -357,15 +361,20 @@ class UserStatsView(UserTabsMixin, CanViewMixin, DetailView):
     context_object_name = "profile"
     template_name = "core/user_stats.jinja"
     current_tab = "stats"
-    queryset = User.objects.exclude(customer=None).select_related("customer")
+    queryset = User.objects.exclude(customer=None).select_related(
+        "customer", "_preferences"
+    )
 
-    def dispatch(self, request, *arg, **kwargs):
+    def test_func(self):
-        profile = self.get_object()
+        profile: User = self.get_object()
-        if not (
+        return (
-            profile == request.user or request.user.has_perm("counter.view_customer")
+            profile == self.request.user
-        ):
+            or self.request.user.has_perm("counter.view_customer")
-            raise PermissionDenied
+            or (
-        return super().dispatch(request, *arg, **kwargs)
+                self.request.user.can_view(profile)
+                and profile.preferences.show_my_stats
+            )
+        )
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
@@ -404,13 +413,6 @@ class UserMiniView(CanViewMixin, DetailView):
     template_name = "core/user_mini.jinja"
 
 
-class UserListView(ListView, CanEditPropMixin):
-    """Displays the user list."""
-
-    model = User
-    template_name = "core/user_list.jinja"
-
-
 # FIXME: the edit_once fields aren't displayed to the user (as expected).
 #  However, if the user re-add them manually in the form, they are saved.
 class UserUpdateProfileView(UserTabsMixin, CanEditMixin, UpdateView):
@@ -468,6 +470,30 @@ class UserClubView(UserTabsMixin, CanViewMixin, DetailView):
     current_tab = "clubs"
 
 
+class UserVisibilityFormFragment(FragmentMixin, SuccessMessageMixin, UpdateView):
+    model = User
+    form_class = UserVisibilityForm
+    template_name = "core/fragment/user_visibility.jinja"
+    pk_url_kwarg = "user_id"
+
+    def get_form_kwargs(self):
+        return super().get_form_kwargs() | {"label_suffix": ""}
+
+    def form_valid(self, form):
+        response = super().form_valid(form)
+        messages.success(
+            self.request, _("Visibility parameters updated."), extra_tags="visibility"
+        )
+        return response
+
+    def render_fragment(self, request, **kwargs) -> SafeString:
+        self.object = kwargs.get("user")
+        return super().render_fragment(request, **kwargs)
+
+    def get_success_url(self, **kwargs):
+        return self.request.path
+
+
 class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, UpdateView):
     """Edit a user's preferences."""
 
@@ -481,7 +507,10 @@ class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, Update
     current_tab = "prefs"
 
     def get_form_kwargs(self):
-        return super().get_form_kwargs() | {"instance": self.object.preferences}
+        return super().get_form_kwargs() | {
+            "instance": self.object.preferences,
+            "label_suffix": "",
+        }
 
     def get_success_url(self):
         return self.request.path
@@ -491,6 +520,9 @@ class UserPreferencesView(UserTabsMixin, UseFragmentsMixin, CanEditMixin, Update
         from counter.views.student_card import StudentCardFormFragment
 
         res = super().get_fragment_context_data()
+        res["user_visibility_fragment"] = UserVisibilityFormFragment.as_fragment()(
+            self.request, user=self.object
+        )
         if hasattr(self.object, "customer"):
             res["student_card_fragment"] = StudentCardFormFragment.as_fragment()(
                 self.request, customer=self.object.customer

docs/reference/api/schemas.md

@@ -0,0 +1 @@
+::: api.schemas

docs/reference/api/views.md

@@ -0,0 +1 @@
+::: api.views

docs/tutorial/api/account-link.md

@@ -0,0 +1,353 @@
+Le site AE offre des mécanismes permettant aux applications tierces
+de récupérer les informations sur un utilisateur du site AE.
+De cette manière, il devient possible de synchroniser les informations
+qu possède l'application tierce sur l'utilisateur, directement depuis
+le site AE.
+
+## Fonctionnement général
+
+Pour authentifier vos utilisateurs, vous aurez besoin d'un serveur web
+et d'un client d'API (celui auquel est liée votre
+[clef d'API](./connect.md#obtenir-une-clef-dapi)).
+Deux informations vous sont nécessaires, en plus de votre clef d'API :
+
+- l'id du client : vous pouvez l'obtenir soit en le demandant à l'équipe info,
+  soit en appelant la route `GET /client/me` avec votre clef d'API
+  renseignée dans le header [X-APIKey](./connect.md#x-apikey)
+- la clef HMAC du client : vous devez la demander à l'équipe info.
+
+Grâce à ces informations, vous allez pouvoir fournir le contexte nécessaire
+au site AE pour qu'il authentifie vos utilisateurs.
+
+En effet, la démarche d'authentification s'effectue presque entièrement
+sur le site : le travail de l'application tierce consiste uniquement
+à fournir à l'utilisateur une url avec les bons paramètres, puis
+à recevoir la réponse du serveur si tout s'est bien passé.
+
+Comme un dessin vaut parfois mieux que mille mots,
+voici les diagrammes décrivant le processus.
+L'un montre l'entièreté de la démarche ;
+l'autre dans un souci de simplicité, ne montre que ce qui est visible
+directement par l'application tierce.
+
+=== "Intégralité du processus"
+
+    ```mermaid
+    sequenceDiagram
+        actor User
+        participant App
+        User->>+App: Authentifie-moi, stp
+        App-->>-User: url de connexion<br/>avec signature
+        User->>+Sith: GET url
+        opt Utilisateur non-connecté
+            Sith->>+User: Formulaire de connexion
+            User-->>-Sith: Connexion
+        end
+        Sith->>Sith: vérification de la signature
+        Sith->>+User: Formulaire<br/>des conditions<br/>d'utilisation
+        User-->>-Sith: Validation
+        Sith->>+App: URL de retour<br/>avec données utilisateur
+        App->>App: Traitement des <br/>données utilisateur
+        App-->>-Sith: 204 OK, No content
+        Sith-->>-User: Message de succès
+        App--)User: Message de succès
+    ```
+
+=== "Point de vue de l'application tierce"
+
+    ```mermaid
+    sequenceDiagram
+        actor User
+        participant App
+        User->>+App: Authentifie-moi, stp
+        App-->>-User: url de connexion<br/>avec signature
+        opt
+            Sith->>+App: URL de retour<br/>avec données utilisateur
+            App->>App: Traitement des <br/>données utilisateur
+            App-->>-Sith: 204 OK, No content
+            App--)User: Message de succès
+        end
+    ```
+
+## Données attendues
+
+### URL de connexion
+
+L'URL de connexion que vous allez fournir à l'utilisateur doit
+être `https://ae.utbm.fr/api-link/auth/`
+et doit contenir les données décrites dans
+[`ThirdPartyAuthParamsSchema`][api.schemas.ThirdPartyAuthParamsSchema] :
+
+- `client_id` (integer) : l'id de votre client, que vous pouvez obtenir
+  de la manière décrite plus haut
+- `third_party_app`(string) : le nom de la plateforme pour laquelle
+  l'authentification va être réalisée (si votre application est un bot
+  discord, mettez la valeur "discord")
+- `privacy_link`(URL) : l'URL vers la page de politique de confidentialité
+  qui s'appliquera dans le cadre de l'application
+  (s'il s'agit d'un bot discord, donnez le lien vers celles de Discord)
+- `username`(string) : le pseudonyme que l'utilisateur possède sur
+  votre application
+- `callback_url`(URL) : l'URL que le site AE appellera si l'authentification
+  réussit
+- `signature`(string) : la signature des données de la requête.
+
+Ces données doivent être url-encodées et passées dans les paramètres GET.
+
+!!!tip "URL de retour"
+
+    Notre système n'impose aucune contrainte quant à la manière
+    de construire votre URL (hormis le fait que ce doit être une URL HTTPS valide),
+    mais il est tout de même conseillé d'utiliser l'identifiant de votre
+    utilisateur comme paramètre dans l'URL 
+    (par exemple `GET /callback/{int:user_id}/`).
+
+???Example
+
+    Supposons que votre client d'API soit utilisé dans le cadre d'un bot Discord,
+    avec les données suivantes :
+    
+    - l'id du client est 15
+    - sa clef HMAC est "beb99dd53"
+      (c'est pour l'exemple, une vraie clef sera beaucoup plus longue)
+    - le pseudonyme discord de votre utilisateur est Brian
+    - son id sur discord est 123456789
+    - votre route de callback est `GET /callback/{int:user_id}/`,
+      accessible au domaine `https://bot.ae.utbm.fr`
+    
+    Alors les paramètres de votre URL seront :
+    
+    | Paramètre       | valeur                                                                |
+    |-----------------|-----------------------------------------------------------------------|
+    | client_id       | 15                                                                    |
+    | third_party_app | discord                                                               |
+    | privacy_link    | `https://discord.com/privacy`                                         |
+    | username        | Brian                                                                 |
+    | callback_url    | `https://bot.ae.utbm.fr/callback/123456789/`                          |
+    | signature       | 1a383c51060be64f07772aa42e07<br/>18ae096b8f21f2cdb4061c0834a416d12101 |
+    
+    Et l'url fournie à l'utilisateur sera :
+    
+    `https://ae.utbm.fr/api-link/auth/?client_id=15&third_party_app=discord
+    &privacy_link=https%3A%2F%2Fdiscord.com%2Fprivacy&username=Brian
+    &callback_url=https%3A%2F%2Fbot.ae.utbm.fr%2Fcallback%2F123456789%2F
+    &signature=1a383c51060be64f07772aa42e0718ae096b8f21f2cdb4061c0834a416d12101`
+
+### Données de retour
+
+Si l'authentification réussit, le site AE enverra une requête HTTP POST
+à l'URL de retour fournie dans l'URL de connexion.
+
+Le corps de la requête de callback et au format JSON 
+et contient deux paires clef-valeur :
+
+- `user` : les données utilisateur, telles que décrites
+  par [UserProfileSchema][core.schemas.UserProfileSchema]
+- `signature` : la signature des données utilisateur
+
+???Example
+
+    En reprenant les mêmes paramètres que dans l'exemple précédent,
+    le site AE pourra renvoyer à l'application la requête suivante :
+
+    ```http
+    POST https://bot.ae.utbm.fr/callback/123456789/
+    content-type: application/json
+    body: {
+        "user": {
+            "id": 144131,
+            "nick_name": "inzekitchen",
+            "first_name": "Brian",
+            ...
+        },
+        "signature": "f16955bab6b805f6e1abbb98a86dfee53fed0bf812aa6513ca46cfd461b70020"
+    }
+    ```
+
+L'application doit répondre avec un des codes HTTP suivants :
+
+| Code | Raison                                                                         |
+|------|--------------------------------------------------------------------------------|
+| 204  | Tout s'est bien passé                                                          |
+| 403  | Les données de retour ne sont <br>pas signées ou sont mal signées              |
+| 404  | L'URL de retour ne permet pas <br>d'identifier un utilisateur de l'application |
+
+!!!note "Code d'erreur par défaut"
+
+    Si l'appel de la route fait face à plusieurs problèmes en même temps 
+    (par exemple, l'URL ne permet pas de retrouver votre utilisateur, 
+    et en plus les données sont mal signées),
+    le 403 prime et doit être retourné par défaut.
+
+## Signature des données
+
+Les données de l'URL de connexion doivent être signées,
+et la signature de l'URL de retour doit être vérifiée.
+
+Dans le deux cas, la signature est le digest HMAC-SHA512
+des données url-encodées, en utilisant la clef HMAC du client d'API.
+
+???Example "Signature de l'URL de connexion"
+
+    En reprenant le même exemple que les fois précédentes,
+    l'url-encodage des données est :
+
+    `client_id=15&third_party_app=discord
+    &privacy_link=https%3A%2F%2Fdiscord.com%2Fprivacy%2F&username=Brian
+    &callback_url=https%3A%2F%2Fbot.ae.utbm.fr%2Fcallback%2F123456789%2F`
+
+    Notez que la signature n'est pas (encore) dedans.
+    Cette dernière peut-être obtenue avec le code suivant :
+
+    === ":simple-python: Python"
+    
+        Dépendances :
+    
+        - `environs` (>=14.1)
+    
+        ```python
+        import hmac
+        from urllib.parse import urlencode
+        
+        from environs import Env
+        
+        env = Env()
+        env.read_env()
+        
+        key = env.str("HMAC_KEY").encode()
+        data = {
+            "client_id": 15,
+            "third_party_app": "discord",
+            "privacy_link": "https://discord.com/privacy/",
+            "username": "Brian",
+            "callback_url": "https://bot.ae.utbm.fr/callback/123456789/",
+        }
+        urlencoded = urlencode(data)
+        data["signature"] = hmac.digest(key, urlencoded.encode(), "sha512").hex()
+        
+        # URL a fournir à l'utilisateur pour son authentification
+        user_url = f"https://ae.ubtm.fr/api-link/auth/?{urlencode(data)}"
+        ```    
+    
+    === ":simple-rust: Rust"
+    
+        Dépendances :
+        
+        - `hmac` (>=0.12.1)
+        - `url` (>=2.5.7, features `serde`)
+        - `serde` (>=1.0.228, features `derive`)
+        - `serde_urlencoded` (>="0.7.1)
+        - `sha2` (>=0.10.9)
+        - `dotenvy` (>= 0.15)
+    
+        ```rust
+        use hmac::{Mac, SimpleHmac};
+        use serde::Serialize;
+        use sha2::Sha512;
+        use url::Url;
+        
+        #[derive(Serialize, Debug)]
+        struct UrlData<'a> {
+            client_id: u32,
+            third_party_app: &'a str,
+            privacy_link: Url,
+            username: &'a str,
+            callback_url: Url,
+        }
+        
+        impl<'a> UrlData<'a> {
+            pub fn signature(&self, key: &[u8]) -> CtOutput<SimpleHmac<Sha512>> {
+                let urlencoded = serde_urlencoded::to_string(self).unwrap();
+                SimpleHmac::<Sha512>::new_from_slice(key)
+                    .unwrap()
+                    .chain_update(urlencoded.as_bytes())
+                    .finalize()
+            }
+        }
+        
+        impl Into<Url> for UrlData<'_> {
+            fn into(self) -> Url {
+                let key = std::env::var("HMAC_KEY").unwrap();
+                let mut url = Url::parse("http://ae.utbm.fr/api-link/auth/").unwrap();
+                url.set_query(Some(
+                    format!(
+                        "{}&signature={:x}",
+                        serde_urlencoded::to_string(&self).unwrap(),
+                        self.signature(key.as_bytes()).into_bytes()
+                    )
+                    .as_str(),
+                ));
+                url
+            }
+        }
+        
+        fn main() {
+            dotenvy::dotenv().expect("Couldn't load env");
+            let data = UrlData {
+                client_id: 1,
+                third_party_app: "discord",
+                privacy_link: "https://discord.com/privacy/".parse().unwrap(),
+                username: "Brian",
+                callback_url: "https://bot.ae.utbm.fr/callback/123456789/"
+                    .parse()
+                    .unwrap(),
+            };
+            let url: Url = data.into();
+            println!("{:?}", url);
+        }
+        ```
+
+???Example "Vérification de la signature de la réponse"
+
+    Les données utilisateur peuvent ressembler à :
+
+    ```json
+    {
+        "user": {
+            "display_name": "Matthieu Vincent",
+            "profile_url": "/user/380/",
+            "profile_pict": "/static/core/img/unknown.jpg",
+            "id": 380,
+            "nick_name": None,
+            "first_name": "Matthieu",
+            "last_name": "Vincent",
+        },
+        "signature": "3802a280fbb01bd9fetc."
+    }
+    ```
+
+    Vous pouvez vérifier la signature ainsi :
+
+    ```python
+        import hmac
+        from urllib.parse import urlencode
+        
+        from environs import Env
+        
+        env = Env()
+        env.read_env()
+        
+        def is_signature_valid(user_data: dict, signature: str) -> bool:
+            key = env.str("HMAC_KEY").encode()
+            urlencoded = urlencode(user_data)
+            return hmac.compare_digest(
+                hmac.digest(key, urlencoded.encode(), "sha512").hex(),
+                signature,
+            )
+        
+        
+        post_data = <récupération des données POST>
+        print(
+            "signature valide :", 
+            is_signature_valid(post_data["user"], post_data["signature"]
+        )
+    ```
+
+!!!Warning
+
+    Vous devez impérativement vérifier la signature 
+    des données de la requête de callback !
+
+    Si l'équipe informatique se rend compte que vous ne le faites pas,
+    elle se réserve le droit de suspendre votre application,
+    immédiatement et sans préavis.

docs/tutorial/api/connect.md

@@ -112,7 +112,7 @@ cf. [HTTP persistant connection (wikipedia)](https://en.wikipedia.org/wiki/HTTP_
 
 Voici quelques exemples : 
 
-=== "Python (requests)"
+=== ":simple-python: Python (requests)"
 
     Dépendances :
 
@@ -132,7 +132,7 @@ Voici quelques exemples :
         print(response.json())
     ```
 
-=== "Python (aiohttp)"
+=== ":simple-python: Python (aiohttp)"
 
     Dépendances :
 
@@ -158,7 +158,7 @@ Voici quelques exemples :
     asyncio.run(main())
     ```
 
-=== "Javascript (axios)"
+=== ":simple-javascript: Javascript (axios)"
 
     Dépendances :
 
@@ -178,7 +178,7 @@ Voici quelques exemples :
     console.log(await instance.get("club/1").json());
     ```
 
-=== "Rust (reqwest)"
+=== ":simple-rust: Rust (reqwest)"
 
     Dépendances :
     

eboutic/converters.py

@@ -1,37 +0,0 @@
-#
-# Copyright 2022
-# - Maréchal <thgirod@hotmail.com
-#
-# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
-# http://ae.utbm.fr.
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License a published by the Free Software
-# Foundation; either version 3 of the License, or (at your option) any later
-# version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
-# details.
-#
-# You should have received a copy of the GNU General Public License along with
-# this program; if not, write to the Free Sofware Foundation, Inc., 59 Temple
-# Place - Suite 330, Boston, MA 02111-1307, USA.
-
-
-class PaymentResultConverter:
-    """Converter used for url mapping of the `eboutic.views.payment_result` view.
-
-    It's meant to build an url that can match
-    either `/eboutic/pay/success/` or `/eboutic/pay/failure/`
-    but nothing else.
-    """
-
-    regex = "(success|failure)"
-
-    def to_python(self, value):
-        return str(value)
-
-    def to_url(self, value):
-        return str(value)

eboutic/templates/eboutic/eboutic_main.jinja

@@ -116,6 +116,56 @@
           </span>
         </div>
       {% endif %}
+      <section>
+        <div class="category-header">
+          <h3 class="margin-bottom">{% trans %}Eurockéennes 2025 partnership{% endtrans %}</h3>
+          {% if user.is_subscribed %}
+            <div id="eurock-partner" style="
+                                            min-height: 600px;
+                                            background-color: lightgrey;
+                                            display: flex;
+                                            justify-content: center;
+                                            align-items: center;
+                                            flex-direction: column;
+                                            gap: 10px;
+                                           ">
+              <p style="text-align: center;">
+                {% trans trimmed %}
+                  Our partner uses Weezevent to sell tickets.
+                  Weezevent may collect user info according to
+                  its own privacy policy.
+                  By clicking the accept button you consent to
+                  their terms of services.
+                {% endtrans %}
+              </p>
+
+              <a href="https://weezevent.com/fr/politique-de-confidentialite/">{% trans %}Privacy policy{% endtrans %}</a>
+
+              <button
+                hx-get="{{ url("eboutic:eurock") }}"
+                hx-target="#eurock-partner"
+                hx-swap="outerHTML"
+                hx-trigger="click, load[document.cookie.includes('weezevent_accept=true')]"
+                @htmx:after-request="document.cookie = 'weezevent_accept=true'"
+              >{% trans %}Accept{% endtrans %}
+              </button>
+            </div>
+          {% else %}
+            <p>
+              {%- trans trimmed %}
+                You must be subscribed to benefit from the partnership with the Eurockéennes.
+              {% endtrans -%}
+            </p>
+            <p>
+              {%- trans trimmed %}
+                This partnership offers a discount of up to 33%
+                on tickets for Friday, Saturday and Sunday,
+                as well as the 3-day package from Friday to Sunday.
+              {% endtrans -%}
+            </p>
+          {% endif %}
+        </div>
+      </section>
       {% for priority_groups in products|groupby('order') %}
         {% for category, items in priority_groups.list|groupby('category') %}
           {% if items|count > 0 %}

eboutic/templates/eboutic/eurock_fragment.jinja

@@ -0,0 +1,16 @@
+<a title="Logiciel billetterie en ligne"
+   href="https://www.weezevent.com?c=sys_widget"
+   class="weezevent-widget-integration"
+   target="_blank"
+   data-src="https://widget.weezevent.com/ticket/8aaba226-f7a3-4192-a64e-72ff8f5b35b7?id_evenement=1419869&locale=fr-FR&code=28747"
+   data-width="650"
+   data-height="600"
+   data-resize="1"
+   data-nopb="0"
+   data-type="neo"
+   data-width_auto="1"
+   data-noscroll="0"
+   data-id="1419869">
+  Billetterie Weezevent
+</a>
+<script type="text/javascript" src="https://widget.weezevent.com/weez.js"  async defer></script>

eboutic/templates/eboutic/eurok_fragment.jinja

@@ -1,17 +0,0 @@
-<a
-  title="Logiciel billetterie en ligne"
-  href="https://widget.weezevent.com/ticket/6ef65533-f5b0-4571-9d21-1f1bc63921f0?id_evenement=1211855&locale=fr-FR&code=34146"
-  class="weezevent-widget-integration"
-  target="_blank"
-  data-src="https://widget.weezevent.com/ticket/6ef65533-f5b0-4571-9d21-1f1bc63921f0?id_evenement=1211855&locale=fr-FR&code=34146"
-  data-width="650"
-  data-height="600"
-  data-resize="1"
-  data-nopb="0"
-  data-type="neo"
-  data-width_auto="1"
-  data-noscroll="0"
-  data-id="1211855">
-  Billetterie Weezevent
-</a>
-<script type="text/javascript" src="https://widget.weezevent.com/weez.js" async defer></script>

eboutic/urls.py

@@ -24,17 +24,18 @@
 
 from django.urls import path, register_converter
 
-from eboutic.converters import PaymentResultConverter
+from core.converters import ResultConverter
 from eboutic.views import (
     BillingInfoFormFragment,
     EbouticCheckout,
     EbouticMainView,
     EbouticPayWithSith,
     EtransactionAutoAnswer,
+    EurockPartnerFragment,
     payment_result,
 )
 
-register_converter(PaymentResultConverter, "res")
+register_converter(ResultConverter, "res")
 
 urlpatterns = [
     # Subscription views
@@ -50,4 +51,5 @@ urlpatterns = [
         EtransactionAutoAnswer.as_view(),
         name="etransation_autoanswer",
     ),
+    path("eurock/", EurockPartnerFragment.as_view(), name="eurock"),
 ]

eboutic/views.py

@@ -42,11 +42,11 @@ from django.shortcuts import redirect, render
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views.decorators.http import require_GET
-from django.views.generic import DetailView, FormView, UpdateView, View
+from django.views.generic import DetailView, FormView, TemplateView, UpdateView, View
 from django.views.generic.edit import SingleObjectMixin
 from django_countries.fields import Country
 
-from core.auth.mixins import CanViewMixin
+from core.auth.mixins import CanViewMixin, IsSubscriberMixin
 from core.views.mixins import FragmentMixin, UseFragmentsMixin
 from counter.forms import BaseBasketForm, BasketProductForm, BillingInfoForm
 from counter.models import (
@@ -350,3 +350,7 @@ class EtransactionAutoAnswer(View):
             return HttpResponse(
                 "Payment failed with error: " + request.GET["Error"], status=202
             )
+
+
+class EurockPartnerFragment(IsSubscriberMixin, TemplateView):
+    template_name = "eboutic/eurock_fragment.jinja"

election/templates/election/election_detail.jinja

@@ -146,7 +146,7 @@
                           <label for="{{ input_id }}">
                         {%- endif %}
                         <figure>
-                          {%- if user.is_viewable %}
+                          {%- if user.can_view(candidature.user) %}
                             {% if candidature.user.profile_pict %}
                               <img class="candidate__picture" src="{{ candidature.user.profile_pict.get_download_url() }}" alt="{% trans %}Profile{% endtrans %}">
                             {% else %}

locale/fr/LC_MESSAGES/django.po

@@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-10 10:28+0100\n"
+"POT-Creation-Date: 2026-03-23 22:21+0100\n"
 "PO-Revision-Date: 2016-07-18\n"
 "Last-Translator: Maréchal <thomas.girod@utbm.fr\n"
 "Language-Team: AE info <ae.info@utbm.fr>\n"
@@ -35,6 +35,10 @@ msgstr ""
 "True si gardé à jour par le biais d'un fournisseur externe de domains "
 "toxics, False sinon"
 
+#: api/admin.py
+msgid "Reset HMAC key"
+msgstr "Réinitialiser la clef HMAC"
+
 #: api/admin.py
 #, python-format
 msgid ""
@@ -48,6 +52,23 @@ msgstr ""
 msgid "Revoke selected API keys"
 msgstr "Révoquer les clefs d'API sélectionnées"
 
+#: api/forms.py
+msgid "I have read and I accept the terms and conditions of use"
+msgstr "J'ai lu et j'accepte les conditions générales d'utilisation."
+
+#: api/forms.py
+msgid "You must approve the terms and conditions of use."
+msgstr "Vous devez approuver les conditions générales d'utilisation."
+
+#: api/forms.py
+msgid "You must confirm that this is your username."
+msgstr "Vous devez confirmer que c'est bien votre nom d'utilisateur."
+
+#: api/forms.py
+#, python-format
+msgid "I confirm that %(username)s is my username on %(app)s"
+msgstr "Je confirme que %(username)s est mon nom d'utilisateur sur %(app)s"
+
 #: api/models.py club/models.py com/models.py counter/models.py forum/models.py
 msgid "name"
 msgstr "nom"
@@ -68,6 +89,10 @@ msgstr "permissions du client"
 msgid "Specific permissions for this api client."
 msgstr "Permissions spécifiques pour ce client d'API"
 
+#: api/models.py
+msgid "HMAC Key"
+msgstr "Clef HMAC"
+
 #: api/models.py
 msgid "api client"
 msgstr "client d'api"
@@ -97,6 +122,63 @@ msgstr "clef d'api"
 msgid "api keys"
 msgstr "clefs d'api"
 
+#: api/templates/api/third_party/auth.jinja
+msgid "Confidentiality"
+msgstr "Confidentialité"
+
+#: api/templates/api/third_party/auth.jinja
+#, python-format
+msgid ""
+"By ticking this box and clicking on the send button, you acknowledge and "
+"agree to provide %(app)s with your first name, last name, nickname and any "
+"other information that was the third party app was explicitly authorized to "
+"fetch and that it must have acknowledged to you, in a complete and accurate "
+"manner."
+msgstr ""
+"En cochant cette case et en cliquant sur le bouton « Envoyer », vous "
+"reconnaissez et acceptez de fournir à %(app)s votre prénom, nom, pseudonyme "
+"et toute autre information que l'application tierce a été explicitement "
+"autorisée à récupérer et qu'elle doit vous avoir communiqué de manière "
+"complète et exacte."
+
+#: api/templates/api/third_party/auth.jinja
+#, python-format
+msgid ""
+"The privacy policies of <a href=\"%(privacy_link)s\">%(app)s</a> and of <a "
+"href=\"%(sith_cgu_link)s\">the Students' Association</a> applies as soon as "
+"the form is submitted."
+msgstr ""
+"Les politiques de confidentialité de <a href=\"%(privacy_link)s\">%(app)s</a> et de <a "
+"href=\"%(sith_cgu_link)s\">l'Association des Etudiants</a> s'appliquent dès la soumission "
+"du formulaire."
+
+#: api/templates/api/third_party/auth.jinja
+msgid "Confirmation of identity"
+msgstr "Confirmation d'identité"
+
+#: api/views.py
+#, python-format
+msgid ""
+"You are going to link your AE account and your %(app)s account. Continue "
+"only if this page was opened from %(app)s."
+msgstr ""
+"Vous allez lier votre compte AE et votre compte %(app)s. Poursuivez "
+"uniquement si cette page a été ouverte depuis %(app)s."
+
+#: api/views.py
+msgid "You have been successfully authenticated. You can now close this page."
+msgstr "Vous avez été authentifié avec succès. Vous pouvez maintenant fermer cette page."
+
+#: api/views.py
+msgid ""
+"Your authentication on the AE website was successful, but an error happened "
+"during the interaction with the third-party application. Please contact the "
+"managers of the latter."
+msgstr ""
+"Votre authentification sur le site AE a fonctionné, mais une erreur est arrivée "
+"durant l'interaction avec l'application tierce. Veuillez contacter les responsables "
+"de cette dernière."
+
 #: club/forms.py
 msgid "Users to add"
 msgstr "Utilisateurs à ajouter"
@@ -551,8 +633,9 @@ msgstr ""
 #: com/templates/com/news_edit.jinja com/templates/com/poster_edit.jinja
 #: com/templates/com/screen_edit.jinja com/templates/com/weekmail.jinja
 #: core/templates/core/create.jinja core/templates/core/edit.jinja
-#: core/templates/core/file_edit.jinja core/templates/core/page/edit.jinja
+#: core/templates/core/file_edit.jinja
-#: core/templates/core/page/prop.jinja
+#: core/templates/core/fragment/user_visibility.jinja
+#: core/templates/core/page/edit.jinja core/templates/core/page/prop.jinja
 #: core/templates/core/user_godfathers.jinja
 #: core/templates/core/user_godfathers_tree.jinja
 #: core/templates/core/user_preferences.jinja
@@ -1547,6 +1630,18 @@ msgid ""
 msgstr ""
 "Si vous désactivez cette option, seuls les admins pourront voir votre profil."
 
+#: core/models.py
+msgid "whitelisted users"
+msgstr "utilisateurs whitelistés"
+
+#: core/models.py
+msgid ""
+"Even if this profile is hidden, the users in this list will still be able to "
+"see it."
+msgstr ""
+"Même si ce profil est caché, les utilisateurs sur cette liste pourront "
+"toujours le voir."
+
 #: core/models.py
 msgid "A user with that username already exists"
 msgstr "Un utilisateur de ce nom d'utilisateur existe déjà"
@@ -1603,6 +1698,14 @@ msgstr "recevoir le Weekmail"
 msgid "show your stats to others"
 msgstr "montrez vos statistiques aux autres"
 
+#: core/models.py
+msgid ""
+"Allow subscribers (or whitelisted users if your profile is hidden) to access "
+"your AE account stats."
+msgstr ""
+"Autorise les cotisants (ou les personnes whitelistées, si votre profil est "
+"caché) à accéder aux statistiques de votre compte AE"
+
 #: core/models.py
 msgid "get a notification for every click"
 msgstr "avoir une notification pour chaque click"
@@ -2612,21 +2715,12 @@ msgid "Preferences"
 msgstr "Préférences"
 
 #: core/templates/core/user_preferences.jinja
-msgid "General"
+msgid "Notifications"
-msgstr "Général"
+msgstr "Notifications"
-
-#: core/templates/core/user_preferences.jinja trombi/views.py
-msgid "Trombi"
-msgstr "Trombi"
 
 #: core/templates/core/user_preferences.jinja
-#, python-format
+msgid "Visibility"
-msgid "You already choose to be in that Trombi: %(trombi)s."
+msgstr "Visibilité"
-msgstr "Vous avez déjà choisi ce Trombi: %(trombi)s."
-
-#: core/templates/core/user_preferences.jinja
-msgid "Go to my Trombi tools"
-msgstr "Allez à mes outils de Trombi"
 
 #: core/templates/core/user_preferences.jinja
 #: counter/templates/counter/counter_click.jinja
@@ -2645,6 +2739,19 @@ msgstr ""
 "aurez besoin d'un lecteur NFC. Nous enregistrons l'UID de la carte qui fait "
 "14 caractères de long."
 
+#: core/templates/core/user_preferences.jinja trombi/views.py
+msgid "Trombi"
+msgstr "Trombi"
+
+#: core/templates/core/user_preferences.jinja
+#, python-format
+msgid "You already choose to be in that Trombi: %(trombi)s."
+msgstr "Vous avez déjà choisi ce Trombi: %(trombi)s."
+
+#: core/templates/core/user_preferences.jinja
+msgid "Go to my Trombi tools"
+msgstr "Allez à mes outils de Trombi"
+
 #: core/templates/core/user_stats.jinja
 #, python-format
 msgid "%(user_name)s's stats"
@@ -2925,6 +3032,10 @@ msgstr "Photos"
 msgid "Account"
 msgstr "Compte"
 
+#: core/views/user.py
+msgid "Visibility parameters updated."
+msgstr "Paramètres de visibilité mis à jour."
+
 #: counter/apps.py counter/models.py
 msgid "counter"
 msgstr "comptoir"
@@ -5838,3 +5949,39 @@ msgstr "Vous ne pouvez plus écrire de commentaires, la date est passée."
 #, python-format
 msgid "Maximum characters: %(max_length)s"
 msgstr "Nombre de caractères max: %(max_length)s"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Eurockéennes 2025 partnership"
+msgstr "Partenariat Eurockéennes 2025"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid ""
+"Our partner uses Weezevent to sell tickets. Weezevent may collect user info "
+"according to its own privacy policy. By clicking the accept button you "
+"consent to their terms of services."
+msgstr ""
+"Notre partenaire utilises Wezevent pour vendre ses billets. Weezevent peut "
+"collecter des informations utilisateur conformément à sa propre politique de "
+"confidentialité. En cliquant sur le bouton d'acceptation vous consentez à "
+"leurs termes de service."
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid "Privacy policy"
+msgstr "Politique de confidentialité"
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+msgid ""
+"You must be subscribed to benefit from the partnership with the Eurockéennes."
+msgstr ""
+"Vous devez être cotisant pour bénéficier du partenariat avec les "
+"Eurockéennes."
+
+#: eboutic/templates/eboutic/eboutic_main.jinja
+#, python-format
+msgid ""
+"This partnership offers a discount of up to 33%% on tickets for Friday, "
+"Saturday and Sunday, as well as the 3-day package from Friday to Sunday."
+msgstr ""
+"Ce partenariat permet de profiter d'une réduction jusqu'à 33%% sur les "
+"billets du vendredi, du samedi et du dimanche, ainsi qu'au forfait 3 jours, "
+"du vendredi au dimanche."

mkdocs.yml

@@ -69,6 +69,7 @@ nav:
     - API:
       - Développement: tutorial/api/dev.md
       - Connexion à l'API: tutorial/api/connect.md
+      - Liaison avec le compte AE: tutorial/api/account-link.md
     - Etransactions: tutorial/etransaction.md
   - How-to:
     - L'ORM de Django: howto/querysets.md
@@ -91,6 +92,8 @@ nav:
       - reference/api/hashers.md
       - reference/api/models.md
       - reference/api/perms.md
+      - reference/api/schemas.md
+      - reference/api/views.md
     - club:
       - reference/club/models.md
       - reference/club/views.md

package.json

@@ -8,8 +8,6 @@
     "compile-dev": "vite build --mode development",
     "serve": "vite build --mode development --watch --minify false",
     "openapi": "openapi-ts",
-    "analyse-dev": "vite-bundle-visualizer --mode development",
-    "analyse-prod": "vite-bundle-visualizer --mode production",
     "check": "tsc && biome check --write"
   },
   "keywords": [],
@@ -35,10 +33,9 @@
     "@types/cytoscape-cxtmenu": "^3.4.5",
     "@types/cytoscape-klay": "^3.1.5",
     "@types/js-cookie": "^3.0.6",
+    "rollup-plugin-visualizer": "^7.0.1",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1",
+    "vite": "^8.0.0"
-    "vite-bundle-visualizer": "^1.2.1",
-    "vite-plugin-static-copy": "^3.2.0"
   },
   "dependencies": {
     "@alpinejs/sort": "^3.15.8",

sas/models.py

@@ -270,7 +270,11 @@ class PeoplePictureRelationQuerySet(models.QuerySet):
         if user.is_root or user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
             return self
         if user.was_subscribed:
-            return self.filter(Q(user_id=user.id) | Q(user__is_viewable=True))
+            return self.filter(
+                Q(user_id=user.id)
+                | Q(user__is_viewable=True)
+                | Q(user__whitelisted_users=user)
+            )
         return self.filter(user_id=user.id)
 
 

sith/settings.py

@@ -355,7 +355,6 @@ SITH_TWITTER = "@ae_utbm"
 # AE configuration
 SITH_MAIN_CLUB_ID = env.int("SITH_MAIN_CLUB_ID", default=1)
 SITH_PDF_CLUB_ID = env.int("SITH_PDF_CLUB_ID", default=2)
-SITH_LAUNDERETTE_CLUB_ID = env.int("SITH_LAUNDERETTE_CLUB_ID", default=84)
 
 # Main root for club pages
 SITH_CLUB_ROOT_PAGE = "clubs"
@@ -405,6 +404,8 @@ SITH_FORUM_PAGE_LENGTH = 30
 SITH_SAS_ROOT_DIR_ID = env.int("SITH_SAS_ROOT_DIR_ID", default=4)
 SITH_SAS_IMAGES_PER_PAGE = 60
 
+SITH_CGU_FILE_ID = env.int("SITH_CGU_FILE_ID", default=5)
+
 SITH_PROFILE_DEPARTMENTS = [
     ("TC", _("TC")),
     ("IMSI", _("IMSI")),
@@ -483,13 +484,6 @@ SITH_LOG_OPERATION_TYPE = [
 
 SITH_PEDAGOGY_UTBM_API = "https://extranet1.utbm.fr/gpedago/api/guide"
 
-SITH_ECOCUP_CONS = env.int("SITH_ECOCUP_CONS", default=1151)
-
-SITH_ECOCUP_DECO = env.int("SITH_ECOCUP_DECO", default=1152)
-
-# The limit is the maximum difference between cons and deco possible for a customer
-SITH_ECOCUP_LIMIT = 3
-
 # Defines pagination for cash summary
 SITH_COUNTER_CASH_SUMMARY_LENGTH = 50
 
@@ -512,7 +506,6 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = env.int(
 SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = env.int(
     "SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS", default=2
 )
-SITH_PRODUCTTYPE_SUBSCRIPTION = env.int("SITH_PRODUCTTYPE_SUBSCRIPTION", default=2)
 
 # Number of weeks before the end of a subscription when the subscriber can resubscribe
 SITH_SUBSCRIPTION_END = 10

sith/urls.py

@@ -34,6 +34,7 @@ urlpatterns = [
     path("", include(("core.urls", "core"), namespace="core")),
     path("sitemap.xml", cache_page(86400)(sitemap), {"sitemaps": sitemaps}),
     path("api/", api.urls),
+    path("api-link/", include(("api.urls", "api-link"), namespace="api-link")),
     path("rootplace/", include(("rootplace.urls", "rootplace"), namespace="rootplace")),
     path(
         "subscription/",

uv.lock

@@ -423,55 +423,55 @@ wheels = [
 
 [[package]]
 name = "cryptography"
-version = "46.0.6"
+version = "46.0.5"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "cffi", marker = "platform_python_implementation != 'PyPy'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a4/ba/04b1bd4218cbc58dc90ce967106d51582371b898690f3ae0402876cc4f34/cryptography-46.0.6.tar.gz", hash = "sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759", size = 750542, upload-time = "2026-03-25T23:34:53.396Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/60/04/ee2a9e8542e4fa2773b81771ff8349ff19cdd56b7258a0cc442639052edb/cryptography-46.0.5.tar.gz", hash = "sha256:abace499247268e3757271b2f1e244b36b06f8515cf27c4d49468fc9eb16e93d", size = 750064, upload-time = "2026-02-10T19:18:38.255Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/47/23/9285e15e3bc57325b0a72e592921983a701efc1ee8f91c06c5f0235d86d9/cryptography-46.0.6-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8", size = 7176401, upload-time = "2026-03-25T23:33:22.096Z" },
+    { url = "https://files.pythonhosted.org/packages/f7/81/b0bb27f2ba931a65409c6b8a8b358a7f03c0e46eceacddff55f7c84b1f3b/cryptography-46.0.5-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:351695ada9ea9618b3500b490ad54c739860883df6c1f555e088eaf25b1bbaad", size = 7176289, upload-time = "2026-02-10T19:17:08.274Z" },
-    { url = "https://files.pythonhosted.org/packages/60/f8/e61f8f13950ab6195b31913b42d39f0f9afc7d93f76710f299b5ec286ae6/cryptography-46.0.6-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30", size = 4275275, upload-time = "2026-03-25T23:33:23.844Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/9e/6b4397a3e3d15123de3b1806ef342522393d50736c13b20ec4c9ea6693a6/cryptography-46.0.5-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:c18ff11e86df2e28854939acde2d003f7984f721eba450b56a200ad90eeb0e6b", size = 4275637, upload-time = "2026-02-10T19:17:10.53Z" },
-    { url = "https://files.pythonhosted.org/packages/19/69/732a736d12c2631e140be2348b4ad3d226302df63ef64d30dfdb8db7ad1c/cryptography-46.0.6-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a", size = 4425320, upload-time = "2026-03-25T23:33:25.703Z" },
+    { url = "https://files.pythonhosted.org/packages/63/e7/471ab61099a3920b0c77852ea3f0ea611c9702f651600397ac567848b897/cryptography-46.0.5-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:4d7e3d356b8cd4ea5aff04f129d5f66ebdc7b6f8eae802b93739ed520c47c79b", size = 4424742, upload-time = "2026-02-10T19:17:12.388Z" },
-    { url = "https://files.pythonhosted.org/packages/d4/12/123be7292674abf76b21ac1fc0e1af50661f0e5b8f0ec8285faac18eb99e/cryptography-46.0.6-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175", size = 4278082, upload-time = "2026-03-25T23:33:27.423Z" },
+    { url = "https://files.pythonhosted.org/packages/37/53/a18500f270342d66bf7e4d9f091114e31e5ee9e7375a5aba2e85a91e0044/cryptography-46.0.5-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:50bfb6925eff619c9c023b967d5b77a54e04256c4281b0e21336a130cd7fc263", size = 4277528, upload-time = "2026-02-10T19:17:13.853Z" },
-    { url = "https://files.pythonhosted.org/packages/5b/ba/d5e27f8d68c24951b0a484924a84c7cdaed7502bac9f18601cd357f8b1d2/cryptography-46.0.6-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463", size = 4926514, upload-time = "2026-03-25T23:33:29.206Z" },
+    { url = "https://files.pythonhosted.org/packages/22/29/c2e812ebc38c57b40e7c583895e73c8c5adb4d1e4a0cc4c5a4fdab2b1acc/cryptography-46.0.5-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:803812e111e75d1aa73690d2facc295eaefd4439be1023fefc4995eaea2af90d", size = 4947993, upload-time = "2026-02-10T19:17:15.618Z" },
-    { url = "https://files.pythonhosted.org/packages/34/71/1ea5a7352ae516d5512d17babe7e1b87d9db5150b21f794b1377eac1edc0/cryptography-46.0.6-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97", size = 4457766, upload-time = "2026-03-25T23:33:30.834Z" },
+    { url = "https://files.pythonhosted.org/packages/6b/e7/237155ae19a9023de7e30ec64e5d99a9431a567407ac21170a046d22a5a3/cryptography-46.0.5-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ee190460e2fbe447175cda91b88b84ae8322a104fc27766ad09428754a618ed", size = 4456855, upload-time = "2026-02-10T19:17:17.221Z" },
-    { url = "https://files.pythonhosted.org/packages/01/59/562be1e653accee4fdad92c7a2e88fced26b3fdfce144047519bbebc299e/cryptography-46.0.6-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c", size = 3986535, upload-time = "2026-03-25T23:33:33.02Z" },
+    { url = "https://files.pythonhosted.org/packages/2d/87/fc628a7ad85b81206738abbd213b07702bcbdada1dd43f72236ef3cffbb5/cryptography-46.0.5-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:f145bba11b878005c496e93e257c1e88f154d278d2638e6450d17e0f31e558d2", size = 3984635, upload-time = "2026-02-10T19:17:18.792Z" },
-    { url = "https://files.pythonhosted.org/packages/d6/8b/b1ebfeb788bf4624d36e45ed2662b8bd43a05ff62157093c1539c1288a18/cryptography-46.0.6-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507", size = 4277618, upload-time = "2026-03-25T23:33:34.567Z" },
+    { url = "https://files.pythonhosted.org/packages/84/29/65b55622bde135aedf4565dc509d99b560ee4095e56989e815f8fd2aa910/cryptography-46.0.5-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:e9251e3be159d1020c4030bd2e5f84d6a43fe54b6c19c12f51cde9542a2817b2", size = 4277038, upload-time = "2026-02-10T19:17:20.256Z" },
-    { url = "https://files.pythonhosted.org/packages/dd/52/a005f8eabdb28df57c20f84c44d397a755782d6ff6d455f05baa2785bd91/cryptography-46.0.6-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19", size = 4890802, upload-time = "2026-03-25T23:33:37.034Z" },
+    { url = "https://files.pythonhosted.org/packages/bc/36/45e76c68d7311432741faf1fbf7fac8a196a0a735ca21f504c75d37e2558/cryptography-46.0.5-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:47fb8a66058b80e509c47118ef8a75d14c455e81ac369050f20ba0d23e77fee0", size = 4912181, upload-time = "2026-02-10T19:17:21.825Z" },
-    { url = "https://files.pythonhosted.org/packages/ec/4d/8e7d7245c79c617d08724e2efa397737715ca0ec830ecb3c91e547302555/cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738", size = 4457425, upload-time = "2026-03-25T23:33:38.904Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/1a/c1ba8fead184d6e3d5afcf03d569acac5ad063f3ac9fb7258af158f7e378/cryptography-46.0.5-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:4c3341037c136030cb46e4b1e17b7418ea4cbd9dd207e4a6f3b2b24e0d4ac731", size = 4456482, upload-time = "2026-02-10T19:17:25.133Z" },
-    { url = "https://files.pythonhosted.org/packages/1d/5c/f6c3596a1430cec6f949085f0e1a970638d76f81c3ea56d93d564d04c340/cryptography-46.0.6-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c", size = 4405530, upload-time = "2026-03-25T23:33:40.842Z" },
+    { url = "https://files.pythonhosted.org/packages/f9/e5/3fb22e37f66827ced3b902cf895e6a6bc1d095b5b26be26bd13c441fdf19/cryptography-46.0.5-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:890bcb4abd5a2d3f852196437129eb3667d62630333aacc13dfd470fad3aaa82", size = 4405497, upload-time = "2026-02-10T19:17:26.66Z" },
-    { url = "https://files.pythonhosted.org/packages/7e/c9/9f9cea13ee2dbde070424e0c4f621c091a91ffcc504ffea5e74f0e1daeff/cryptography-46.0.6-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f", size = 4667896, upload-time = "2026-03-25T23:33:42.781Z" },
+    { url = "https://files.pythonhosted.org/packages/1a/df/9d58bb32b1121a8a2f27383fabae4d63080c7ca60b9b5c88be742be04ee7/cryptography-46.0.5-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:80a8d7bfdf38f87ca30a5391c0c9ce4ed2926918e017c29ddf643d0ed2778ea1", size = 4667819, upload-time = "2026-02-10T19:17:28.569Z" },
-    { url = "https://files.pythonhosted.org/packages/ad/b5/1895bc0821226f129bc74d00eccfc6a5969e2028f8617c09790bf89c185e/cryptography-46.0.6-cp311-abi3-win32.whl", hash = "sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2", size = 3026348, upload-time = "2026-03-25T23:33:45.021Z" },
+    { url = "https://files.pythonhosted.org/packages/ea/ed/325d2a490c5e94038cdb0117da9397ece1f11201f425c4e9c57fe5b9f08b/cryptography-46.0.5-cp311-abi3-win32.whl", hash = "sha256:60ee7e19e95104d4c03871d7d7dfb3d22ef8a9b9c6778c94e1c8fcc8365afd48", size = 3028230, upload-time = "2026-02-10T19:17:30.518Z" },
-    { url = "https://files.pythonhosted.org/packages/c3/f8/c9bcbf0d3e6ad288b9d9aa0b1dee04b063d19e8c4f871855a03ab3a297ab/cryptography-46.0.6-cp311-abi3-win_amd64.whl", hash = "sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124", size = 3483896, upload-time = "2026-03-25T23:33:46.649Z" },
+    { url = "https://files.pythonhosted.org/packages/e9/5a/ac0f49e48063ab4255d9e3b79f5def51697fce1a95ea1370f03dc9db76f6/cryptography-46.0.5-cp311-abi3-win_amd64.whl", hash = "sha256:38946c54b16c885c72c4f59846be9743d699eee2b69b6988e0a00a01f46a61a4", size = 3480909, upload-time = "2026-02-10T19:17:32.083Z" },
-    { url = "https://files.pythonhosted.org/packages/01/41/3a578f7fd5c70611c0aacba52cd13cb364a5dee895a5c1d467208a9380b0/cryptography-46.0.6-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:2ef9e69886cbb137c2aef9772c2e7138dc581fad4fcbcf13cc181eb5a3ab6275", size = 7117147, upload-time = "2026-03-25T23:33:48.249Z" },
+    { url = "https://files.pythonhosted.org/packages/00/13/3d278bfa7a15a96b9dc22db5a12ad1e48a9eb3d40e1827ef66a5df75d0d0/cryptography-46.0.5-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:94a76daa32eb78d61339aff7952ea819b1734b46f73646a07decb40e5b3448e2", size = 7119287, upload-time = "2026-02-10T19:17:33.801Z" },
-    { url = "https://files.pythonhosted.org/packages/fa/87/887f35a6fca9dde90cad08e0de0c89263a8e59b2d2ff904fd9fcd8025b6f/cryptography-46.0.6-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7f417f034f91dcec1cb6c5c35b07cdbb2ef262557f701b4ecd803ee8cefed4f4", size = 4266221, upload-time = "2026-03-25T23:33:49.874Z" },
+    { url = "https://files.pythonhosted.org/packages/67/c8/581a6702e14f0898a0848105cbefd20c058099e2c2d22ef4e476dfec75d7/cryptography-46.0.5-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5be7bf2fb40769e05739dd0046e7b26f9d4670badc7b032d6ce4db64dddc0678", size = 4265728, upload-time = "2026-02-10T19:17:35.569Z" },
-    { url = "https://files.pythonhosted.org/packages/aa/a8/0a90c4f0b0871e0e3d1ed126aed101328a8a57fd9fd17f00fb67e82a51ca/cryptography-46.0.6-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:d24c13369e856b94892a89ddf70b332e0b70ad4a5c43cf3e9cb71d6d7ffa1f7b", size = 4408952, upload-time = "2026-03-25T23:33:52.128Z" },
+    { url = "https://files.pythonhosted.org/packages/dd/4a/ba1a65ce8fc65435e5a849558379896c957870dd64fecea97b1ad5f46a37/cryptography-46.0.5-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fe346b143ff9685e40192a4960938545c699054ba11d4f9029f94751e3f71d87", size = 4408287, upload-time = "2026-02-10T19:17:36.938Z" },
-    { url = "https://files.pythonhosted.org/packages/16/0b/b239701eb946523e4e9f329336e4ff32b1247e109cbab32d1a7b61da8ed7/cryptography-46.0.6-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:aad75154a7ac9039936d50cf431719a2f8d4ed3d3c277ac03f3339ded1a5e707", size = 4270141, upload-time = "2026-03-25T23:33:54.11Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/67/8ffdbf7b65ed1ac224d1c2df3943553766914a8ca718747ee3871da6107e/cryptography-46.0.5-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:c69fd885df7d089548a42d5ec05be26050ebcd2283d89b3d30676eb32ff87dee", size = 4270291, upload-time = "2026-02-10T19:17:38.748Z" },
-    { url = "https://files.pythonhosted.org/packages/0f/a8/976acdd4f0f30df7b25605f4b9d3d89295351665c2091d18224f7ad5cdbf/cryptography-46.0.6-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:3c21d92ed15e9cfc6eb64c1f5a0326db22ca9c2566ca46d845119b45b4400361", size = 4904178, upload-time = "2026-03-25T23:33:55.725Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/e5/f52377ee93bc2f2bba55a41a886fd208c15276ffbd2569f2ddc89d50e2c5/cryptography-46.0.5-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:8293f3dea7fc929ef7240796ba231413afa7b68ce38fd21da2995549f5961981", size = 4927539, upload-time = "2026-02-10T19:17:40.241Z" },
-    { url = "https://files.pythonhosted.org/packages/b1/1b/bf0e01a88efd0e59679b69f42d4afd5bced8700bb5e80617b2d63a3741af/cryptography-46.0.6-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:4668298aef7cddeaf5c6ecc244c2302a2b8e40f384255505c22875eebb47888b", size = 4441812, upload-time = "2026-03-25T23:33:57.364Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/02/cfe39181b02419bbbbcf3abdd16c1c5c8541f03ca8bda240debc467d5a12/cryptography-46.0.5-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:1abfdb89b41c3be0365328a410baa9df3ff8a9110fb75e7b52e66803ddabc9a9", size = 4442199, upload-time = "2026-02-10T19:17:41.789Z" },
-    { url = "https://files.pythonhosted.org/packages/bb/8b/11df86de2ea389c65aa1806f331cae145f2ed18011f30234cc10ca253de8/cryptography-46.0.6-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:8ce35b77aaf02f3b59c90b2c8a05c73bac12cea5b4e8f3fbece1f5fddea5f0ca", size = 3963923, upload-time = "2026-03-25T23:33:59.361Z" },
+    { url = "https://files.pythonhosted.org/packages/c0/96/2fcaeb4873e536cf71421a388a6c11b5bc846e986b2b069c79363dc1648e/cryptography-46.0.5-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:d66e421495fdb797610a08f43b05269e0a5ea7f5e652a89bfd5a7d3c1dee3648", size = 3960131, upload-time = "2026-02-10T19:17:43.379Z" },
-    { url = "https://files.pythonhosted.org/packages/91/e0/207fb177c3a9ef6a8108f234208c3e9e76a6aa8cf20d51932916bd43bda0/cryptography-46.0.6-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:c89eb37fae9216985d8734c1afd172ba4927f5a05cfd9bf0e4863c6d5465b013", size = 4269695, upload-time = "2026-03-25T23:34:00.909Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/d2/b27631f401ddd644e94c5cf33c9a4069f72011821cf3dc7309546b0642a0/cryptography-46.0.5-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:4e817a8920bfbcff8940ecfd60f23d01836408242b30f1a708d93198393a80b4", size = 4270072, upload-time = "2026-02-10T19:17:45.481Z" },
-    { url = "https://files.pythonhosted.org/packages/21/5e/19f3260ed1e95bced52ace7501fabcd266df67077eeb382b79c81729d2d3/cryptography-46.0.6-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:ed418c37d095aeddf5336898a132fba01091f0ac5844e3e8018506f014b6d2c4", size = 4869785, upload-time = "2026-03-25T23:34:02.796Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/a7/60d32b0370dae0b4ebe55ffa10e8599a2a59935b5ece1b9f06edb73abdeb/cryptography-46.0.5-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:68f68d13f2e1cb95163fa3b4db4bf9a159a418f5f6e7242564fc75fcae667fd0", size = 4892170, upload-time = "2026-02-10T19:17:46.997Z" },
-    { url = "https://files.pythonhosted.org/packages/10/38/cd7864d79aa1d92ef6f1a584281433419b955ad5a5ba8d1eb6c872165bcb/cryptography-46.0.6-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:69cf0056d6947edc6e6760e5f17afe4bea06b56a9ac8a06de9d2bd6b532d4f3a", size = 4441404, upload-time = "2026-03-25T23:34:04.35Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/b9/cf73ddf8ef1164330eb0b199a589103c363afa0cf794218c24d524a58eab/cryptography-46.0.5-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:a3d1fae9863299076f05cb8a778c467578262fae09f9dc0ee9b12eb4268ce663", size = 4441741, upload-time = "2026-02-10T19:17:48.661Z" },
-    { url = "https://files.pythonhosted.org/packages/09/0a/4fe7a8d25fed74419f91835cf5829ade6408fd1963c9eae9c4bce390ecbb/cryptography-46.0.6-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:8e7304c4f4e9490e11efe56af6713983460ee0780f16c63f219984dab3af9d2d", size = 4397549, upload-time = "2026-03-25T23:34:06.342Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/eb/eee00b28c84c726fe8fa0158c65afe312d9c3b78d9d01daf700f1f6e37ff/cryptography-46.0.5-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:c4143987a42a2397f2fc3b4d7e3a7d313fbe684f67ff443999e803dd75a76826", size = 4396728, upload-time = "2026-02-10T19:17:50.058Z" },
-    { url = "https://files.pythonhosted.org/packages/5f/a0/7d738944eac6513cd60a8da98b65951f4a3b279b93479a7e8926d9cd730b/cryptography-46.0.6-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:b928a3ca837c77a10e81a814a693f2295200adb3352395fad024559b7be7a736", size = 4651874, upload-time = "2026-03-25T23:34:07.916Z" },
+    { url = "https://files.pythonhosted.org/packages/65/f4/6bc1a9ed5aef7145045114b75b77c2a8261b4d38717bd8dea111a63c3442/cryptography-46.0.5-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:7d731d4b107030987fd61a7f8ab512b25b53cef8f233a97379ede116f30eb67d", size = 4652001, upload-time = "2026-02-10T19:17:51.54Z" },
-    { url = "https://files.pythonhosted.org/packages/cb/f1/c2326781ca05208845efca38bf714f76939ae446cd492d7613808badedf1/cryptography-46.0.6-cp314-cp314t-win32.whl", hash = "sha256:97c8115b27e19e592a05c45d0dd89c57f81f841cc9880e353e0d3bf25b2139ed", size = 3001511, upload-time = "2026-03-25T23:34:09.892Z" },
+    { url = "https://files.pythonhosted.org/packages/86/ef/5d00ef966ddd71ac2e6951d278884a84a40ffbd88948ef0e294b214ae9e4/cryptography-46.0.5-cp314-cp314t-win32.whl", hash = "sha256:c3bcce8521d785d510b2aad26ae2c966092b7daa8f45dd8f44734a104dc0bc1a", size = 3003637, upload-time = "2026-02-10T19:17:52.997Z" },
-    { url = "https://files.pythonhosted.org/packages/c9/57/fe4a23eb549ac9d903bd4698ffda13383808ef0876cc912bcb2838799ece/cryptography-46.0.6-cp314-cp314t-win_amd64.whl", hash = "sha256:c797e2517cb7880f8297e2c0f43bb910e91381339336f75d2c1c2cbf811b70b4", size = 3471692, upload-time = "2026-03-25T23:34:11.613Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/57/f3f4160123da6d098db78350fdfd9705057aad21de7388eacb2401dceab9/cryptography-46.0.5-cp314-cp314t-win_amd64.whl", hash = "sha256:4d8ae8659ab18c65ced284993c2265910f6c9e650189d4e3f68445ef82a810e4", size = 3469487, upload-time = "2026-02-10T19:17:54.549Z" },
-    { url = "https://files.pythonhosted.org/packages/c4/cc/f330e982852403da79008552de9906804568ae9230da8432f7496ce02b71/cryptography-46.0.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a", size = 7162776, upload-time = "2026-03-25T23:34:13.308Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/fa/a66aa722105ad6a458bebd64086ca2b72cdd361fed31763d20390f6f1389/cryptography-46.0.5-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:4108d4c09fbbf2789d0c926eb4152ae1760d5a2d97612b92d508d96c861e4d31", size = 7170514, upload-time = "2026-02-10T19:17:56.267Z" },
-    { url = "https://files.pythonhosted.org/packages/49/b3/dc27efd8dcc4bff583b3f01d4a3943cd8b5821777a58b3a6a5f054d61b79/cryptography-46.0.6-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8", size = 4270529, upload-time = "2026-03-25T23:34:15.019Z" },
+    { url = "https://files.pythonhosted.org/packages/0f/04/c85bdeab78c8bc77b701bf0d9bdcf514c044e18a46dcff330df5448631b0/cryptography-46.0.5-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:7d1f30a86d2757199cb2d56e48cce14deddf1f9c95f1ef1b64ee91ea43fe2e18", size = 4275349, upload-time = "2026-02-10T19:17:58.419Z" },
-    { url = "https://files.pythonhosted.org/packages/e6/05/e8d0e6eb4f0d83365b3cb0e00eb3c484f7348db0266652ccd84632a3d58d/cryptography-46.0.6-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77", size = 4414827, upload-time = "2026-03-25T23:34:16.604Z" },
+    { url = "https://files.pythonhosted.org/packages/5c/32/9b87132a2f91ee7f5223b091dc963055503e9b442c98fc0b8a5ca765fab0/cryptography-46.0.5-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:039917b0dc418bb9f6edce8a906572d69e74bd330b0b3fea4f79dab7f8ddd235", size = 4420667, upload-time = "2026-02-10T19:18:00.619Z" },
-    { url = "https://files.pythonhosted.org/packages/2f/97/daba0f5d2dc6d855e2dcb70733c812558a7977a55dd4a6722756628c44d1/cryptography-46.0.6-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290", size = 4271265, upload-time = "2026-03-25T23:34:18.586Z" },
+    { url = "https://files.pythonhosted.org/packages/a1/a6/a7cb7010bec4b7c5692ca6f024150371b295ee1c108bdc1c400e4c44562b/cryptography-46.0.5-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ba2a27ff02f48193fc4daeadf8ad2590516fa3d0adeeb34336b96f7fa64c1e3a", size = 4276980, upload-time = "2026-02-10T19:18:02.379Z" },
-    { url = "https://files.pythonhosted.org/packages/89/06/fe1fce39a37ac452e58d04b43b0855261dac320a2ebf8f5260dd55b201a9/cryptography-46.0.6-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410", size = 4916800, upload-time = "2026-03-25T23:34:20.561Z" },
+    { url = "https://files.pythonhosted.org/packages/8e/7c/c4f45e0eeff9b91e3f12dbd0e165fcf2a38847288fcfd889deea99fb7b6d/cryptography-46.0.5-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:61aa400dce22cb001a98014f647dc21cda08f7915ceb95df0c9eaf84b4b6af76", size = 4939143, upload-time = "2026-02-10T19:18:03.964Z" },
-    { url = "https://files.pythonhosted.org/packages/ff/8a/b14f3101fe9c3592603339eb5d94046c3ce5f7fc76d6512a2d40efd9724e/cryptography-46.0.6-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d", size = 4448771, upload-time = "2026-03-25T23:34:22.406Z" },
+    { url = "https://files.pythonhosted.org/packages/37/19/e1b8f964a834eddb44fa1b9a9976f4e414cbb7aa62809b6760c8803d22d1/cryptography-46.0.5-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:3ce58ba46e1bc2aac4f7d9290223cead56743fa6ab94a5d53292ffaac6a91614", size = 4453674, upload-time = "2026-02-10T19:18:05.588Z" },
-    { url = "https://files.pythonhosted.org/packages/01/b3/0796998056a66d1973fd52ee89dc1bb3b6581960a91ad4ac705f182d398f/cryptography-46.0.6-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70", size = 3978333, upload-time = "2026-03-25T23:34:24.281Z" },
+    { url = "https://files.pythonhosted.org/packages/db/ed/db15d3956f65264ca204625597c410d420e26530c4e2943e05a0d2f24d51/cryptography-46.0.5-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:420d0e909050490d04359e7fdb5ed7e667ca5c3c402b809ae2563d7e66a92229", size = 3978801, upload-time = "2026-02-10T19:18:07.167Z" },
-    { url = "https://files.pythonhosted.org/packages/c5/3d/db200af5a4ffd08918cd55c08399dc6c9c50b0bc72c00a3246e099d3a849/cryptography-46.0.6-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d", size = 4271069, upload-time = "2026-03-25T23:34:25.895Z" },
+    { url = "https://files.pythonhosted.org/packages/41/e2/df40a31d82df0a70a0daf69791f91dbb70e47644c58581d654879b382d11/cryptography-46.0.5-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:582f5fcd2afa31622f317f80426a027f30dc792e9c80ffee87b993200ea115f1", size = 4276755, upload-time = "2026-02-10T19:18:09.813Z" },
-    { url = "https://files.pythonhosted.org/packages/d7/18/61acfd5b414309d74ee838be321c636fe71815436f53c9f0334bf19064fa/cryptography-46.0.6-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa", size = 4878358, upload-time = "2026-03-25T23:34:27.67Z" },
+    { url = "https://files.pythonhosted.org/packages/33/45/726809d1176959f4a896b86907b98ff4391a8aa29c0aaaf9450a8a10630e/cryptography-46.0.5-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:bfd56bb4b37ed4f330b82402f6f435845a5f5648edf1ad497da51a8452d5d62d", size = 4901539, upload-time = "2026-02-10T19:18:11.263Z" },
-    { url = "https://files.pythonhosted.org/packages/8b/65/5bf43286d566f8171917cae23ac6add941654ccf085d739195a4eacf1674/cryptography-46.0.6-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58", size = 4448061, upload-time = "2026-03-25T23:34:29.375Z" },
+    { url = "https://files.pythonhosted.org/packages/99/0f/a3076874e9c88ecb2ecc31382f6e7c21b428ede6f55aafa1aa272613e3cd/cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:a3d507bb6a513ca96ba84443226af944b0f7f47dcc9a399d110cd6146481d24c", size = 4452794, upload-time = "2026-02-10T19:18:12.914Z" },
-    { url = "https://files.pythonhosted.org/packages/e0/25/7e49c0fa7205cf3597e525d156a6bce5b5c9de1fd7e8cb01120e459f205a/cryptography-46.0.6-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb", size = 4399103, upload-time = "2026-03-25T23:34:32.036Z" },
+    { url = "https://files.pythonhosted.org/packages/02/ef/ffeb542d3683d24194a38f66ca17c0a4b8bf10631feef44a7ef64e631b1a/cryptography-46.0.5-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9f16fbdf4da055efb21c22d81b89f155f02ba420558db21288b3d0035bafd5f4", size = 4404160, upload-time = "2026-02-10T19:18:14.375Z" },
-    { url = "https://files.pythonhosted.org/packages/44/46/466269e833f1c4718d6cd496ffe20c56c9c8d013486ff66b4f69c302a68d/cryptography-46.0.6-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72", size = 4659255, upload-time = "2026-03-25T23:34:33.679Z" },
+    { url = "https://files.pythonhosted.org/packages/96/93/682d2b43c1d5f1406ed048f377c0fc9fc8f7b0447a478d5c65ab3d3a66eb/cryptography-46.0.5-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:ced80795227d70549a411a4ab66e8ce307899fad2220ce5ab2f296e687eacde9", size = 4667123, upload-time = "2026-02-10T19:18:15.886Z" },
-    { url = "https://files.pythonhosted.org/packages/0a/09/ddc5f630cc32287d2c953fc5d32705e63ec73e37308e5120955316f53827/cryptography-46.0.6-cp38-abi3-win32.whl", hash = "sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c", size = 3010660, upload-time = "2026-03-25T23:34:35.418Z" },
+    { url = "https://files.pythonhosted.org/packages/45/2d/9c5f2926cb5300a8eefc3f4f0b3f3df39db7f7ce40c8365444c49363cbda/cryptography-46.0.5-cp38-abi3-win32.whl", hash = "sha256:02f547fce831f5096c9a567fd41bc12ca8f11df260959ecc7c3202555cc47a72", size = 3010220, upload-time = "2026-02-10T19:18:17.361Z" },
-    { url = "https://files.pythonhosted.org/packages/1b/82/ca4893968aeb2709aacfb57a30dec6fa2ab25b10fa9f064b8882ce33f599/cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f", size = 3471160, upload-time = "2026-03-25T23:34:37.191Z" },
+    { url = "https://files.pythonhosted.org/packages/48/ef/0c2f4a8e31018a986949d34a01115dd057bf536905dca38897bacd21fac3/cryptography-46.0.5-cp38-abi3-win_amd64.whl", hash = "sha256:556e106ee01aa13484ce9b0239bca667be5004efb0aabbed28d353df86445595", size = 3467050, upload-time = "2026-02-10T19:18:18.899Z" },
 ]
 
 [[package]]
@@ -817,7 +817,6 @@ wheels = [
 name = "griffelib"
 version = "2.0.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ad/06/eccbd311c9e2b3ca45dbc063b93134c57a1ccc7607c5e545264ad092c4a9/griffelib-2.0.0.tar.gz", hash = "sha256:e504d637a089f5cab9b5daf18f7645970509bf4f53eda8d79ed71cce8bd97934", size = 166312, upload-time = "2026-03-23T21:06:55.954Z" }
 wheels = [
     { url = "https://files.pythonhosted.org/packages/4d/51/c936033e16d12b627ea334aaaaf42229c37620d0f15593456ab69ab48161/griffelib-2.0.0-py3-none-any.whl", hash = "sha256:01284878c966508b6d6f1dbff9b6fa607bc062d8261c5c7253cb285b06422a7f", size = 142004, upload-time = "2026-02-09T19:09:40.561Z" },
 ]

vite.config.mts

@@ -1,14 +1,17 @@
-// biome-ignore lint/correctness/noNodejsModules: this is backend side
 import { parse, resolve } from "node:path";
 import inject from "@rollup/plugin-inject";
 import { glob } from "glob";
-import type { Rollup } from "vite";
+import { visualizer } from "rollup-plugin-visualizer";
-import { type AliasOptions, defineConfig, type UserConfig } from "vite";
+import {
+  type AliasOptions,
+  defineConfig,
+  type PluginOption,
+  type Rollup,
+  type UserConfig,
+} from "vite";
 import tsconfig from "./tsconfig.json";
 
 const outDir = resolve(__dirname, "./staticfiles/generated/bundled");
-const vendored = resolve(outDir, "vendored");
-const nodeModules = resolve(__dirname, "node_modules");
 const collectedFiles = glob.sync(
   "./!(static)/static/bundled/**/*?(-)index.?(m)[j|t]s?(x)",
 );
@@ -42,7 +45,6 @@ function getRelativeAssetPath(path: string): string {
   return relativePath.join("/");
 }
 
-// biome-ignore lint/style/noDefaultExport: this is recommended by documentation
 export default defineConfig((config: UserConfig) => {
   return {
     base: "/static/bundled/",
@@ -86,6 +88,7 @@ export default defineConfig((config: UserConfig) => {
         Alpine: "alpinejs",
         htmx: "htmx.org",
       }),
+      visualizer({ filename: ".bundle-size-report.html" }) as PluginOption,
     ],
   } satisfies UserConfig;
 });