Merge branch 'oauth2' into 'main'

Oauth2 See merge request bde/nk20!360
translations
2025-11-17 20:07:52 +01:00 · 2025-11-15 20:41:57 +01:00 · 2025-11-13 16:00:05 +01:00 · 2025-11-13 15:53:39 +01:00 · 2025-11-10 18:07:32 +01:00 · 2025-11-09 14:48:29 +01:00
16 changed files with 1102 additions and 262 deletions
--- a/apps/activity/views.py
+++ b/apps/activity/views.py
@@ -152,9 +152,11 @@ class ActivityDetailView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMix
    def get_tables_data(self):
        return [
            Guest.objects.filter(activity=self.object)
-                         .filter(PermissionBackend.filter_queryset(self.request, Guest, "view")),
+                         .filter(PermissionBackend.filter_queryset(self.request, Guest, "view"))
+                         .distinct(),
            self.object.opener.filter(activity=self.object)
-                              .filter(PermissionBackend.filter_queryset(self.request, Opener, "view")),
+                              .filter(PermissionBackend.filter_queryset(self.request, Opener, "view"))
+                              .distinct(),
        ]

    def render_to_response(self, context, **response_kwargs):
@@ -309,7 +311,7 @@ class ActivityInviteView(ProtectQuerysetMixin, ProtectedCreateView):
    @transaction.atomic
    def form_valid(self, form):
        form.instance.activity = Activity.objects\
-            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).get(pk=self.kwargs["pk"])
+            .filter(PermissionBackend.filter_queryset(self.request, Activity, "view")).distinct().get(pk=self.kwargs["pk"])
        return super().form_valid(form)

    def get_success_url(self, **kwargs):
--- a/apps/member/views.py
+++ b/apps/member/views.py
@@ -50,6 +50,15 @@ class CustomLoginView(LoginView):
        self.request.session['permission_mask'] = form.cleaned_data['permission_mask'].rank
        return super().form_valid(form)

+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        user_agent = self.request.META.get('HTTP_USER_AGENT', '').lower()
+
+        context['display_appstore_badge'] = 'iphone' in user_agent or 'android' not in user_agent
+        context['display_playstore_badge'] = 'android' in user_agent or 'iphone' not in user_agent
+
+        return context
+

 class UserUpdateView(ProtectQuerysetMixin, LoginRequiredMixin, UpdateView):
    """
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@@ -26,24 +26,42 @@ class PermissionBackend(ModelBackend):

    @staticmethod
    @memoize
-    def get_raw_permissions(request, t):
+    def get_raw_permissions(request, t):  # noqa: C901
        """
        Query permissions of a certain type for a user, then memoize it.
        :param request: The current request
        :param t: The type of the permissions: view, change, add or delete
        :return: The queryset of the permissions of the user (memoized) grouped by clubs
        """
-        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
+        # Permission for auth
+        if hasattr(request, 'oauth2') and request.oauth2 is not None and 'scope' in request.oauth2:
            # OAuth2 Authentication
+            user = request.oauth2['user']
+
+            def permission_filter(membership_obj):
+                query = Q(pk=-1)
+                for scope in request.oauth2['scope']:
+                    if scope == "openid":
+                        continue
+                    permission_id, club_id = scope.split('_')
+                    if int(club_id) == membership_obj.club_id:
+                        query |= Q(pk=permission_id, mask__rank__lte=request.oauth2['mask'])
+                return query
+
+        # Restreint token permission to his scope
+        elif hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
            user = request.auth.user

            def permission_filter(membership_obj):
                query = Q(pk=-1)
                for scope in request.auth.scope.split(' '):
+                    if scope == "openid" or scope == "0_0":
+                        continue
                    permission_id, club_id = scope.split('_')
                    if int(club_id) == membership_obj.club_id:
                        query |= Q(pk=permission_id)
                return query
+
        else:
            user = request.user

@@ -77,7 +95,6 @@ class PermissionBackend(ModelBackend):
        :param type: The type of the permissions: view, change, add or delete
        :return: A generator of the requested permissions
        """
-
        if hasattr(request, 'auth') and request.auth is not None and hasattr(request.auth, 'scope'):
            # OAuth2 Authentication
            user = request.auth.user
--- a/apps/permission/fixtures/initial.json
+++ b/apps/permission/fixtures/initial.json
@@ -927,7 +927,7 @@
                "note",
                "transactiontemplate"
            ],
-            "query": "{\"destination\": [\"club\", \"note\"]}",
+            "query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]",
            "type": "view",
            "mask": 2,
            "field": "",
@@ -943,7 +943,7 @@
                "note",
                "transactiontemplate"
            ],
-            "query": "{\"destination\": [\"club\", \"note\"]}",
+            "query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]", 
            "type": "add",
            "mask": 3,
            "field": "",
@@ -959,7 +959,7 @@
                "note",
                "transactiontemplate"
            ],
-            "query": "{\"destination\": [\"club\", \"note\"]}",
+            "query": "[\"AND\", {\"destination\": [\"club\", \"note\"]}, {\"category__name\": \"Clubs\"}]",
            "type": "change",
            "mask": 3,
            "field": "",
@@ -3486,6 +3486,22 @@
 	    "description": "Voir la bouffe servie"
 	    }
    },
+    {
+        "model": "permission.permission",
+        "pk": 223,
+        "fields": {
+            "model": [
+                "note",
+                "templatecategory"
+            ],
+            "query": "{\"name\": \"Clubs\"}",
+            "type": "view",
+            "mask": 2,
+            "field": "",
+            "permanent": false,
+            "description": "Voir la catégorie de bouton Clubs"
+        }
+    },
    {
        "model": "permission.permission",
        "pk": 239,
@@ -4896,7 +4912,6 @@
                19,
                20,
                21,
-                27,
                59,
                60,
                61,
@@ -4907,6 +4922,7 @@
                182,
                184,
                185,
+                223,
                239,
                240,
                241
@@ -5271,6 +5287,12 @@
                176,
                177,
                197,
+                211,
+                212,
+                213,
+                214,
+                215,
+                216,
                311,
                319
            ]
--- a/apps/permission/scopes.py
+++ b/apps/permission/scopes.py
@@ -10,6 +10,8 @@ from note_kfet.middlewares import get_current_request
 from .backends import PermissionBackend
 from .models import Permission

+from django.utils.translation import gettext_lazy as _
+

 class PermissionScopes(BaseScopes):
    """
@@ -23,7 +25,9 @@ class PermissionScopes(BaseScopes):
        if 'scopes' in kwargs:
            for scope in kwargs['scopes']:
                if scope == 'openid':
-                    scopes['openid'] = "OpenID Connect"
+                    scopes['openid'] = _("OpenID Connect (username and email)")
+                elif scope == '0_0':
+                    scopes['0_0'] = _("Useless scope which do nothing")
                else:
                    p = Permission.objects.get(id=scope.split('_')[0])
                    club = Club.objects.get(id=scope.split('_')[1])
@@ -32,7 +36,8 @@ class PermissionScopes(BaseScopes):

        scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
                  for p in Permission.objects.all() for club in Club.objects.all()}
-        scopes['openid'] = "OpenID Connect"
+        scopes['openid'] = _("OpenID Connect (username and email)")
+        scopes['0_0'] = _("Useless scope which do nothing")
        return scopes

    def get_available_scopes(self, application=None, request=None, *args, **kwargs):
@@ -41,7 +46,7 @@ class PermissionScopes(BaseScopes):
        scopes = [f"{p.id}_{p.membership.club.id}"
                  for t in Permission.PERMISSION_TYPES
                  for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
-        scopes.append('openid')
+        scopes.append('0_0')  # always available
        return scopes

    def get_default_scopes(self, application=None, request=None, *args, **kwargs):
@@ -49,7 +54,7 @@ class PermissionScopes(BaseScopes):
            return []
        scopes = [f"{p.id}_{p.membership.club.id}"
                  for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
-        scopes.append('openid')
+        scopes = ['0_0']  # always default
        return scopes


@@ -67,10 +72,77 @@ class PermissionOAuth2Validator(OAuth2Validator):
            "email": request.user.email,
        }

+    def get_userinfo_claims(self, request):
+        claims = super().get_userinfo_claims(request)
+        claims['is_active'] = request.user.is_active
+        return claims
+
    def get_discovery_claims(self, request):
        claims = super().get_discovery_claims(self)
        return claims + ["name", "normalized_name", "email"]

+    def validate_client_credentials_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        """
+        For client credentials valid scopes are scope of the app owner
+        """
+        valid_scopes = set()
+        request.oauth2 = {}
+        request.oauth2['user'] = client.user
+        request.oauth2['user'].is_anomymous = False
+        request.oauth2['scope'] = scopes
+        # mask implementation
+        if hasattr(request.decoded_body, 'mask'):
+            try:
+                request.oauth2['mask'] = int(request.decoded_body['mask'])
+            except ValueError:
+                request.oauth2['mask'] = 42
+        else:
+            request.oauth2['mask'] = 42
+
+        for t in Permission.PERMISSION_TYPES:
+            for p in PermissionBackend.get_raw_permissions(request, t[0]):
+                scope = f"{p.id}_{p.membership.club.id}"
+                if scope in scopes:
+                    valid_scopes.add(scope)
+
+        # Always give one scope to generate token
+        if not valid_scopes:
+            valid_scopes.add('0_0')
+
+        request.scopes = valid_scopes
+        return valid_scopes
+
+    def validate_ropb_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        """
+        For ROPB valid scopes are scope of the user
+        """
+        valid_scopes = set()
+        request.oauth2 = {}
+        request.oauth2['user'] = request.user
+        request.oauth2['user'].is_anomymous = False
+        request.oauth2['scope'] = scopes
+        # mask implementation
+        if hasattr(request.decoded_body, 'mask'):
+            try:
+                request.oauth2['mask'] = int(request.decoded_body['mask'])
+            except ValueError:
+                request.oauth2['mask'] = 42
+        else:
+            request.oauth2['mask'] = 42
+
+        for t in Permission.PERMISSION_TYPES:
+            for p in PermissionBackend.get_raw_permissions(request, t[0]):
+                scope = f"{p.id}_{p.membership.club.id}"
+                if scope in scopes:
+                    valid_scopes.add(scope)
+
+        # Always give one scope to generate token
+        if not valid_scopes:
+            valid_scopes.add('0_0')
+
+        request.scopes = valid_scopes
+        return valid_scopes
+
    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
        """
        User can request as many scope as he wants, including invalid scopes,
@@ -79,17 +151,35 @@ class PermissionOAuth2Validator(OAuth2Validator):
        This allows clients to request more permission to get finally a
        subset of permissions.
        """
+        valid_scopes = set()
+        if hasattr(request, 'grant_type') and request.grant_type == 'client_credentials':
+            return self.validate_client_credentials_scopes(client_id, scopes, client, request, args, kwargs)
+        if hasattr(request, 'grant_type') and request.grant_type == 'password':
+            return self.validate_ropb_scopes(client_id, scopes, client, request, args, kwargs)
+
+        # Authorization code and Implicit are the same for scope, OIDC it's only a layer

        valid_scopes = set()
+        req = get_current_request()
+        request.oauth2 = {}
+        request.oauth2['user'] = req.user
+        request.oauth2['scope'] = scopes
+        # mask implementation
+        request.oauth2['mask'] = req.session.load()['permission_mask']

        for t in Permission.PERMISSION_TYPES:
-            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):
+            for p in PermissionBackend.get_raw_permissions(request, t[0]):
                scope = f"{p.id}_{p.membership.club.id}"
                if scope in scopes:
                    valid_scopes.add(scope)

-        if 'openid' in scopes:
+        # We grant openid scope if user is active
+        if 'openid' in scopes and req.user.is_active:
            valid_scopes.add('openid')

+        # Always give one scope to generate token
+        if not valid_scopes:
+            valid_scopes.add('0_0')
+
        request.scopes = valid_scopes
        return valid_scopes
--- a/apps/permission/tests/test_oauth2_access.py
+++ b/apps/permission/tests/test_oauth2_access.py
@@ -21,6 +21,7 @@ class OAuth2TestCase(TestCase):
    def setUp(self):
        self.user = User.objects.create(
            username="toto",
+            password="toto1234",
        )
        self.application = Application.objects.create(
            name="Test",
@@ -92,3 +93,40 @@ class OAuth2TestCase(TestCase):
        self.assertEqual(resp.status_code, 200)
        self.assertIn(self.application, resp.context['scopes'])
        self.assertIn('1_1', resp.context['scopes'][self.application])  # Now the user has this permission
+
+    def test_oidc(self):
+        """
+        Ensure OIDC work
+        """
+        # Create access token that has access to our own user detail
+        token = AccessToken.objects.create(
+            user=self.user,
+            application=self.application,
+            scope="openid",
+            token=get_random_string(64),
+            expires=timezone.now() + timedelta(days=365),
+        )
+
+        # No access without token
+        resp = self.client.get('/o/userinfo/')  # userinfo endpoint
+        self.assertEqual(resp.status_code, 401)
+
+        # Valid token
+        resp = self.client.get('/o/userinfo/', **{'Authorization': f'Bearer {token.token}'})
+        self.assertEqual(resp.status_code, 200)
+
+        # Create membership to test api
+        NoteUser.objects.create(user=self.user)
+        membership = Membership.objects.create(user=self.user, club_id=1)
+        membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
+        membership.save()
+
+        # Token can always be use to see yourself
+        resp = self.client.get('/api/me/',
+                               **{'Authorization': f'Bearer {token.token}'})
+
+        # Token is not granted to see other api
+        resp = self.client.get(f'/api/members/profile/{self.user.profile.pk}/',
+                               **{'Authorization': f'Bearer {token.token}'})
+
+        self.assertEqual(resp.status_code, 404)
--- a/apps/permission/tests/test_oauth2_flow.py
+++ b/apps/permission/tests/test_oauth2_flow.py
@@ -0,0 +1,444 @@
+# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import base64
+import hashlib
+
+from django.contrib.auth.hashers import PBKDF2PasswordHasher
+from django.contrib.auth.models import User
+from django.utils.crypto import get_random_string
+from django.test import TestCase
+from member.models import Membership, Club
+from note.models import NoteUser
+from oauth2_provider.models import Application, AccessToken, Grant
+
+from ..models import Role, Permission
+
+
+class OAuth2FlowTestCase(TestCase):
+    fixtures = ('initial', )
+
+    def setUp(self):
+        self.user_password = "toto1234"
+        hasher = PBKDF2PasswordHasher()
+
+        self.user = User.objects.create(
+            username="toto",
+            password=hasher.encode(self.user_password, hasher.salt()),
+        )
+
+        NoteUser.objects.create(user=self.user)
+        membership = Membership.objects.create(user=self.user, club_id=1)
+        membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
+        membership.save()
+
+        bde = Club.objects.get(name="BDE")
+        view_user_perm = Permission.objects.get(pk=1)  # View own user detail
+
+        self.base_scope = f'{view_user_perm.pk}_{bde.pk}'
+
+    def test_oauth2_authorization_code_flow(self):
+        """
+        Ensure OAuth2 Authorization Code Flow work
+        """
+
+        app = Application.objects.create(
+            name="Test Authorization Code",
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            user=self.user,
+            hash_client_secret=False,
+            redirect_uris='http://127.0.0.1:8000/noexist/callback',
+            algorithm=Application.NO_ALGORITHM,
+        )
+
+        credential = base64.b64encode(f'{app.client_id}:{app.client_secret}'.encode('utf-8')).decode()
+
+        ############################
+        # Minimal RFC6749 requests #
+        ############################
+
+        resp = self.client.get('/o/authorize/',
+                               data={"response_type": "code",                   # REQUIRED
+                                     "client_id": app.client_id},               # REQUIRED
+                               **{"Content-Type": 'application/x-www-form-urlencoded'})
+
+        # Get user authorization
+
+        ##################################################################################
+
+        url = resp.url
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                data={"username": self.user.username,
+                                      "password": self.user_password,
+                                      "permission_mask": 1,
+                                      "csrfmiddlewaretoken": csrf_token})
+
+        url = resp.url
+        resp = self.client.get(url)
+
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                follow=True,
+                                data={"allow": "Authorize",
+                                      "scope": "0_0",
+                                      "csrfmiddlewaretoken": csrf_token,
+                                      "response_type": "code",
+                                      "client_id": app.client_id,
+                                      "redirect_uri": app.redirect_uris})
+
+        keys = resp.request['QUERY_STRING'].split("&")
+        for key in keys:
+            if len(key.split('code=')) == 2:
+                code = key.split('code=')[1]
+
+        ##################################################################################
+
+        grant = Grant.objects.get(code=code)
+        self.assertEqual(grant.scope, '0_0')
+
+        # Now we can ask an Access Token
+
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": 'authorization_code',       # REQUIRED
+                                      "code": code},                            # REQUIRED
+                                **{"Content-Type": 'application/x-www-form-urlencoded',
+                                   "HTTP_Authorization": f'Basic {credential}'})
+
+        # We should have refresh token
+        self.assertEqual('refresh_token' in resp.json(), True)
+
+        token = AccessToken.objects.get(token=resp.json()['access_token'])
+
+        # Token do nothing, it should be have the useless scope
+        self.assertEqual(token.scope, '0_0')
+
+        # Logout user
+        self.client.logout()
+
+        #############################################
+        # Maximal RFC6749 + RFC7636 (PKCE) requests #
+        #############################################
+
+        state = get_random_string(32)
+
+        # PKCE
+        code_verifier = get_random_string(100)  # 43-128 characters [A-Z,a-z,0-9,"-",".","_","~"]
+        code_challenge = hashlib.sha256(code_verifier.encode('utf-8')).digest()
+        code_challenge = base64.urlsafe_b64encode(code_challenge).decode('utf-8').replace('=', '')
+        cc_method = "S256"
+
+        resp = self.client.get('/o/authorize/',
+                               data={"response_type": "code",                   # REQUIRED
+                                     "code_challenge": code_challenge,          # PKCE REQUIRED
+                                     "code_challenge_method": cc_method,        # PKCE REQUIRED
+                                     "client_id": app.client_id,                # REQUIRED
+                                     "redirect_uri": app.redirect_uris,         # OPTIONAL
+                                     "scope": self.base_scope,                  # OPTIONAL
+                                     "state": state},                           # RECOMMENDED
+                               **{"Content-Type": 'application/x-www-form-urlencoded'})
+
+        # Get user authorization
+        ##################################################################################
+        url = resp.url
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                data={"username": self.user.username,
+                                      "password": self.user_password,
+                                      "permission_mask": 1,
+                                      "csrfmiddlewaretoken": csrf_token})
+
+        url = resp.url
+        resp = self.client.get(url)
+
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                follow=True,
+                                data={"allow": "Authorize",
+                                      "scope": self.base_scope,
+                                      "csrfmiddlewaretoken": csrf_token,
+                                      "response_type": "code",
+                                      "code_challenge": code_challenge,
+                                      "code_challenge_method": cc_method,
+                                      "client_id": app.client_id,
+                                      "state": state,
+                                      "redirect_uri": app.redirect_uris})
+
+        keys = resp.request['QUERY_STRING'].split("&")
+        for key in keys:
+            if len(key.split('code=')) == 2:
+                code = key.split('code=')[1]
+            if len(key.split('state=')) == 2:
+                resp_state = key.split('state=')[1]
+
+        ##################################################################################
+
+        grant = Grant.objects.get(code=code)
+        self.assertEqual(grant.scope, self.base_scope)
+        self.assertEqual(state, resp_state)
+
+        # Now we can ask an Access Token
+
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": 'authorization_code',       # REQUIRED
+                                      "code": code,                             # REQUIRED
+                                      "code_verifier": code_verifier,           # PKCE REQUIRED
+                                      "redirect_uri": app.redirect_uris},       # REQUIRED
+                                **{"Content-Type": 'application/x-www-form-urlencoded',
+                                   "HTTP_Authorization": f'Basic {credential}'})
+
+        # We should have refresh token
+        self.assertEqual('refresh_token' in resp.json(), True)
+
+        token = AccessToken.objects.get(token=resp.json()['access_token'])
+
+        # Token can have access, it shouldn't have the useless scope
+        self.assertEqual(token.scope, self.base_scope)
+
+    def test_oauth2_implicit_flow(self):
+        """
+        Ensure OAuth2 Implicit Flow work
+        """
+        app = Application.objects.create(
+            name="Test Implicit Flow",
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_IMPLICIT,
+            user=self.user,
+            hash_client_secret=False,
+            algorithm=Application.NO_ALGORITHM,
+            redirect_uris='http://127.0.0.1:8000/noexist/callback/',
+        )
+
+        ############################
+        # Minimal RFC6749 requests #
+        ############################
+
+        resp = self.client.get('/o/authorize/',
+                               data={'response_type': 'token',                  # REQUIRED
+                                     'client_id': app.client_id},               # REQUIRED
+                               **{"Content-Type": 'application/x-www-form-urlencoded'}
+                               )
+
+        # Get user authorization
+        ##################################################################################
+        url = resp.url
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                data={"username": self.user.username,
+                                      "password": self.user_password,
+                                      "permission_mask": 1,
+                                      "csrfmiddlewaretoken": csrf_token})
+
+        url = resp.url
+        resp = self.client.get(url)
+
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                follow=True,
+                                data={"allow": "Authorize",
+                                      "scope": '0_0',
+                                      "csrfmiddlewaretoken": csrf_token,
+                                      "response_type": "token",
+                                      "client_id": app.client_id,
+                                      "redirect_uri": app.redirect_uris})
+
+        url = resp.redirect_chain[0][0]
+        keys = url.split('#')[1]
+        refresh_token = ''
+
+        for couple in keys.split('&'):
+            if couple.split('=')[0] == 'access_token':
+                token = couple.split('=')[1]
+            if couple.split('=')[0] == 'refresh_token':
+                refresh_token = couple.split('=')[1]
+
+        ##################################################################################
+
+        self.assertEqual(refresh_token, '')
+
+        access_token = AccessToken.objects.get(token=token)
+
+        # Token do nothing, it should be have the useless scope
+        self.assertEqual(access_token.scope, '0_0')
+
+        # Logout user
+        self.client.logout()
+
+        ############################
+        # Maximal RFC6749 requests #
+        ############################
+
+        state = get_random_string(32)
+
+        resp = self.client.get('/o/authorize/',
+                               data={'response_type': 'token',                  # REQUIRED
+                                     'client_id': app.client_id,                # REQUIRED
+                                     'redirect_uri': app.redirect_uris,         # OPTIONAL
+                                     'scope': self.base_scope,                  # OPTIONAL
+                                     'state': state},                           # RECOMMENDED
+                               **{"Content-Type": 'application/x-www-form-urlencoded'}
+                               )
+
+        # Get user authorization
+        ##################################################################################
+        url = resp.url
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                data={"username": self.user.username,
+                                      "password": self.user_password,
+                                      "permission_mask": 1,
+                                      "csrfmiddlewaretoken": csrf_token})
+
+        url = resp.url
+        resp = self.client.get(url)
+
+        csrf_token = resp.text.split('CSRF_TOKEN = "')[0].split('"')[0]
+
+        resp = self.client.post(url,
+                                follow=True,
+                                data={"allow": "Authorize",
+                                      "scope": self.base_scope,
+                                      "state": state,
+                                      "csrfmiddlewaretoken": csrf_token,
+                                      "response_type": "token",
+                                      "client_id": app.client_id,
+                                      "redirect_uri": app.redirect_uris})
+
+        url = resp.redirect_chain[0][0]
+        keys = url.split('#')[1]
+        refresh_token = ''
+
+        for couple in keys.split('&'):
+            if couple.split('=')[0] == 'access_token':
+                token = couple.split('=')[1]
+            if couple.split('=')[0] == 'refresh_token':
+                refresh_token = couple.split('=')[1]
+            if couple.split('=')[0] == 'state':
+                resp_state = couple.split('=')[1]
+
+        ##################################################################################
+
+        self.assertEqual(refresh_token, '')
+
+        access_token = AccessToken.objects.get(token=token)
+
+        # Token can have access, it shouldn't have the useless scope
+        self.assertEqual(access_token.scope, self.base_scope)
+
+        self.assertEqual(state, resp_state)
+
+    def test_oauth2_resource_owner_password_credentials_flow(self):
+        """
+        Ensure OAuth2 Resource Owner Password Credentials Flow work
+        """
+        app = Application.objects.create(
+            name="Test ROPB",
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_PASSWORD,
+            user=self.user,
+            hash_client_secret=False,
+            algorithm=Application.NO_ALGORITHM,
+        )
+
+        credential = base64.b64encode(f'{app.client_id}:{app.client_secret}'.encode('utf-8')).decode()
+
+        # No token without real password
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "password",                 # REQUIRED
+                                      "username": self.user,                    # REQUIRED
+                                      "password": "password"},                  # REQUIRED
+                                **{"Content-Type": 'application/x-www-form-urlencoded',
+                                   "Http_Authorization": f'Basic {credential}'}
+                                )
+
+        self.assertEqual(resp.status_code, 400)
+
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "password",                 # REQUIRED
+                                      "username": self.user,                    # REQUIRED
+                                      "password": self.user_password},          # REQUIRED
+                                **{"Content-Type": 'application/x-www-form-urlencoded',
+                                   "HTTP_Authorization": f'Basic {credential}'}
+                                )
+
+        self.assertEqual(resp.status_code, 200)
+
+        access_token = AccessToken.objects.get(token=resp.json()['access_token'])
+        self.assertEqual('refresh_token' in resp.json(), True)
+
+        self.assertEqual(access_token.scope, '0_0')  # token do nothing
+
+        # RFC6749 4.3.2 allows use of scope in ROPB token access request
+
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "password",                 # REQUIRED
+                                      "username": self.user,                    # REQUIRED
+                                      "password": self.user_password,           # REQUIRED
+                                      "scope": self.base_scope},                # OPTIONAL
+                                **{"Content-Type": 'application/x-www-form-urlencoded',
+                                   "HTTP_Authorization": f'Basic {credential}'}
+                                )
+
+        token = AccessToken.objects.get(token=resp.json()['access_token'])
+
+        self.assertEqual(token.scope, self.base_scope)  # token do nothing more than base_scope
+
+    def test_oauth2_client_credentials(self):
+        """
+        Ensure OAuth2 Client Credentials work
+        """
+        app = Application.objects.create(
+            name="Test client_credentials",
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_CLIENT_CREDENTIALS,
+            user=self.user,
+            hash_client_secret=False,
+            algorithm=Application.NO_ALGORITHM,
+        )
+
+        # No token without credential
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "client_credentials"},      # REQUIRED
+                                **{"Content-Type": 'application/x-www-form-urlencoded'}
+                                )
+
+        self.assertEqual(resp.status_code, 401)
+
+        # Access with credential
+        credential = base64.b64encode(f'{app.client_id}:{app.client_secret}'.encode('utf-8')).decode()
+
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "client_credentials"},      # REQUIRED
+                                **{'HTTP_Authorization': f'Basic {credential}',
+                                   "Content-Type": 'application/x-www-form-urlencoded'}
+                                )
+
+        self.assertEqual(resp.status_code, 200)
+
+        token = AccessToken.objects.get(token=resp.json()['access_token'])
+
+        # Token do nothing, it should be have the useless scope
+        self.assertEqual(token.scope, '0_0')
+
+        # RFC6749 4.4.2 allows use of scope in client credential flow
+        resp = self.client.post('/o/token/',
+                                data={"grant_type": "client_credentials",       # REQUIRED
+                                      "scope": self.base_scope},                # OPTIONAL
+                                **{'http_Authorization': f'Basic {credential}',
+                                   "Content-Type": 'application/x-www-form-urlencoded'}
+                                )
+
+        self.assertEqual(resp.status_code, 200)
+
+        token = AccessToken.objects.get(token=resp.json()['access_token'])
+
+        # Token can have access, it shouldn't have the useless scope
+        self.assertEqual(token.scope, self.base_scope)
--- a/docs/external_services/index.rst
+++ b/docs/external_services/index.rst
@@ -18,11 +18,21 @@ note. De cette façon, chaque application peut authentifier ses utilisateur⋅ri
 et récupérer leurs adhésions, leur nom de note afin d'éventuellement faire des transferts
 via l'API.

-Deux protocoles d'authentification sont implémentées :
+Trois protocoles d'authentification sont implémentées :

 * `CAS <cas>`_
 * `OAuth2 <oauth2>`_
+ * Open ID Connect

-À ce jour, il n'y a pas encore d'exemple d'utilisation d'application qui utilise ce
-mécanisme, mais on peut imaginer par exemple que la Mediatek ou l'AMAP implémentent
-ces protocoles pour récupérer leurs adhérent⋅es.
+À ce jour, ce mécanisme est notamment utilisé par :
+ * Le `serveur photo <https://photos.crans.org>`_
+ * L'`imprimante <https://helloworld.crans.org>`_ du `Cr@ns <https://crans.org>`_
+ * Le serveur `Matrix <https://element.crans.org>`_ du `Cr@ns <https://crans.org>`_
+ * La `base de donnée de la Mediatek <https://med.crans.org>`_
+ * Le site du `K-WEI <https://kwei.crans.org>`_ 
+
+Et dans un futur plus ou moins proche :
+ * Le site pour loger les admissibles pendant les oraux (cf. `ici <https://gitlab.crans.org/bde/la25>`_)
+ * L'application mobile de la note
+ * Le site pour les commandes Terre à Terre (cf. `là <https://gitlab.crans.org/tat/blog>`_)
+ * Le futur wiki...
--- a/docs/external_services/oauth2.rst
+++ b/docs/external_services/oauth2.rst
@@ -47,7 +47,6 @@ On a ensuite besoin de définir nos propres scopes afin d'avoir des permissions
       'OIDC_ENABLED': True,
       'OIDC_RSA_PRIVATE_KEY':
           os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'),
-       'SCOPES': { 'openid': "OpenID Connect scope" },
   }

 Cela a pour effet d'avoir des scopes sous la forme ``PERMISSION_CLUB``,
@@ -99,7 +98,7 @@ du format renvoyé.

 .. warning::

-   Un petit mot sur les scopes : tel qu'implémenté, une scope est une permission unitaire
+   Un petit mot sur les scopes : tel qu'implémenté, un scope est une permission unitaire
   (telle que décrite dans le modèle ``Permission``) associée à un club. Ainsi, un jeton
   a accès à une scope si et seulement si læ propriétaire du jeton dispose d'une adhésion
   courante dans le club lié à la scope qui lui octroie cette permission.
@@ -113,6 +112,9 @@ du format renvoyé.
   Vous pouvez donc contrôler le plus finement possible les permissions octroyées à vos
   jetons.

+   Deux scopes sont un peu particulier, le scope "0_0" qui ne donne aucune permission
+   et le scope "openid" pour l'OIDC.
+
 .. danger::

   Demander des scopes n'implique pas de les avoir.
@@ -134,6 +136,11 @@ du format renvoyé.
   uniquement dans le cas où l'utilisateur⋅rice connecté⋅e
   possède la permission problématique.

+   Dans le cas extrême ou aucun scope demandé n'est obtenus, vous
+   obtiendriez le scope "0_0" qui ne permet l'accès à rien.
+   Cela permet de générer un token pour toute les requêtes valides.
+   
+   
 Avec Django-allauth
 ###################

@@ -142,6 +149,10 @@ le module pré-configuré disponible ici :
 `<https://gitlab.crans.org/bde/allauth-note-kfet>`_. Pour l'installer, vous
 pouvez simplement faire :

+.. warning::
+   À cette heure (11/2025), ce paquet est déprécié et il est plutôt conseillé de créer
+   sa propre application.
+
 .. code:: bash

   $ pip3 install git+https://gitlab.crans.org/bde/allauth-note-kfet.git
@@ -195,6 +206,20 @@ récupérés. Les autres données sont stockées mais inutilisées.
 Application personnalisée
 #########################

+.. note::
+
+   Tout les flow (c'est-à-dire les différentes suites de requête possible pour obtenir
+   un token d'accès) de l'OAuth2 sont reproduits dans les
+   `tests <https://gitlab.crans.org/bde/nk20/-/tree/main/apps/permission/tests/test_oauth2_flow.py>`_
+   de l'application permission de la Note. L'OIDC n'étant qu'une extension du protocole
+   OAuth2 vous pouvez facilement reproduire les requêtes en vous inspirant de
+   l'Authorization Code de OAuth2.
+
+.. danger::
+   
+   Pour des raisons de rétrocompatibilité, PKCE (Proof Key for Code Exchange) n'est pas requis,
+   son utilisation est néanmoins très vivement conseillé.
+
 Ce modèle vous permet de créer vos propres applications à interfacer avec la Note Kfet.

 Commencez par créer une application : `<https://note.crans.org/o/applications/register>`_.
@@ -223,6 +248,8 @@ c'est sur cette page qu'il faut rediriger les utilisateur⋅rices. Il faut mettr
  autorisée par l'application. À des fins de test, peut être `<http://localhost/>`_.
 * ``state`` : optionnel, peut être utilisé pour permettre au client de détecter des requêtes
  provenant d'autres sites.
+* ``code_challenge``: PKCE, le hash d'une chaine d'entre 43 et 128  caractères.
+* ``code_challenge_method``: PKCE, ``S256`` si le hasher est sha256.

 Sur cette page, les permissions demandées seront listées, et l'utilisateur⋅rice aura le
 choix d'accepter ou non. Dans les deux cas, l'utilisateur⋅rice sera redirigée vers
@@ -283,4 +310,4 @@ de rafraichissement à usage unique. Il suffit pour cela de refaire une requête
 Le serveur vous fournira alors une nouvelle paire de jetons, comme précédemment.
 À noter qu'un jeton de rafraîchissement est à usage unique.

-N'hésitez pas à vous renseigner sur OAuth2 pour plus d'informations.
+N'hésitez pas à vous renseigner sur `OAuth2 <https://www.rfc-editor.org/rfc/rfc6749.html>`_ ou sur le protocole `OIDC <https://openid.net/specs/openid-connect-core-1_0.html>`_ pour plus d'informations.
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
--- a/note_kfet/settings/base.py
+++ b/note_kfet/settings/base.py
@@ -273,9 +273,9 @@ OAUTH2_PROVIDER = {
    'REFRESH_TOKEN_EXPIRE_SECONDS': timedelta(days=14),
    'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
    'OIDC_ENABLED': True,
+    'OIDC_RP_INITIATED_LOGOUT_ENABLED': False,
    'OIDC_RSA_PRIVATE_KEY':
        os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines
-    'SCOPES': { 'openid': "OpenID Connect scope" },
 }

 # Take control on how widget templates are sourced
--- a/note_kfet/static/img/appstore_badge_fr_preorder.svg
+++ b/note_kfet/static/img/appstore_badge_fr_preorder.svg
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="Calque_2" data-name="Calque 2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 126.5 40">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #a6a6a6;
+      }
+
+      .cls-2 {
+        fill: #fff;
+      }
+    </style>
+  </defs>
+  <g id="livetype">
+    <g>
+      <g>
+        <path class="cls-1" d="M116.97,0H9.53c-.37,0-.73,0-1.09,0-.31,0-.61,0-.92.01-.67.02-1.34.06-2,.18-.67.12-1.29.32-1.9.63-.6.31-1.15.71-1.62,1.18-.48.47-.88,1.02-1.18,1.62-.31.61-.51,1.23-.63,1.9-.12.66-.16,1.33-.18,2,0,.31-.01.61-.02.92v23.11c0,.31,0,.61.02.92.02.67.06,1.34.18,2,.12.67.31,1.3.63,1.9.3.6.7,1.14,1.18,1.61.47.48,1.02.88,1.62,1.18.61.31,1.23.51,1.9.63.66.12,1.34.16,2,.18.31,0,.61.01.92.01.37,0,.73,0,1.09,0h107.44c.36,0,.72,0,1.08,0,.3,0,.62,0,.92-.01.67-.02,1.34-.06,2-.18.67-.12,1.29-.32,1.91-.63.6-.3,1.14-.7,1.62-1.18.48-.47.87-1.02,1.18-1.61.31-.61.51-1.23.62-1.9.12-.66.16-1.33.19-2,0-.31,0-.61,0-.92,0-.36,0-.72,0-1.09V9.54c0-.37,0-.73,0-1.09,0-.31,0-.61,0-.92-.02-.67-.06-1.34-.19-2-.11-.67-.31-1.29-.62-1.9-.31-.6-.71-1.15-1.18-1.62-.47-.47-1.02-.87-1.62-1.18-.62-.31-1.24-.51-1.91-.63-.66-.12-1.33-.16-2-.18-.3,0-.62-.01-.92-.01-.36,0-.72,0-1.08,0h0Z"/>
+        <path d="M8.44,39.12c-.3,0-.6,0-.9-.01-.56-.02-1.22-.05-1.87-.16-.61-.11-1.15-.29-1.66-.55-.52-.26-.99-.61-1.4-1.02-.41-.41-.75-.87-1.02-1.4-.26-.5-.44-1.05-.54-1.66-.12-.67-.15-1.36-.17-1.88,0-.21-.01-.91-.01-.91V8.44s0-.69.01-.89c.01-.52.04-1.21.17-1.87.11-.61.28-1.16.54-1.66.27-.52.61-.99,1.02-1.4.41-.41.88-.76,1.4-1.02.51-.26,1.06-.44,1.65-.54.67-.12,1.36-.15,1.88-.16h.9s109.6-.01,109.6-.01h.91c.51.03,1.2.06,1.86.18.6.11,1.15.28,1.67.55.51.26.98.61,1.39,1.02.41.41.75.88,1.02,1.4.26.51.43,1.05.54,1.65.12.63.15,1.28.17,1.89,0,.28,0,.59,0,.89,0,.38,0,.73,0,1.09v20.93c0,.36,0,.72,0,1.08,0,.33,0,.62,0,.93-.02.59-.06,1.24-.17,1.85-.1.61-.28,1.16-.54,1.67-.27.52-.61.99-1.02,1.39-.41.42-.88.76-1.4,1.02-.52.26-1.05.44-1.67.55-.64.12-1.3.15-1.87.16-.29,0-.6.01-.9.01h-1.08s-108.53,0-108.53,0Z"/>
+      </g>
+      <g>
+        <g>
+          <path class="cls-2" d="M24.77,20.3c-.03-2.75,2.25-4.09,2.36-4.15-1.29-1.88-3.29-2.14-3.99-2.16-1.68-.18-3.31,1-4.16,1s-2.19-.99-3.61-.96c-1.83.03-3.54,1.09-4.47,2.73-1.93,3.35-.49,8.27,1.36,10.98.93,1.33,2.01,2.81,3.43,2.75,1.39-.06,1.91-.88,3.58-.88s2.14.88,3.59.85c1.49-.02,2.43-1.33,3.32-2.67,1.07-1.52,1.5-3.02,1.52-3.09-.03-.01-2.89-1.1-2.92-4.4Z"/>
+          <path class="cls-2" d="M22.04,12.21c.75-.93,1.26-2.2,1.11-3.49-1.08.05-2.43.75-3.21,1.66-.69.8-1.3,2.12-1.14,3.36,1.21.09,2.46-.61,3.24-1.53Z"/>
+        </g>
+        <g>
+          <path class="cls-2" d="M37.55,8.73c1.17,0,1.97.81,1.97,1.99s-.83,1.97-2,1.97h-1.38v2.01h-.93v-5.97h2.34ZM36.14,11.88h1.17c.8,0,1.27-.41,1.27-1.15s-.45-1.17-1.27-1.17h-1.17v2.32Z"/>
+          <path class="cls-2" d="M40.73,10.2h.86v.69h.07c.13-.44.63-.77,1.22-.77.13,0,.3.01.4.04v.88c-.07-.02-.34-.05-.5-.05-.67,0-1.15.43-1.15,1.06v2.66h-.89v-4.5Z"/>
+          <path class="cls-2" d="M47.94,13.49c-.2.81-.92,1.3-1.95,1.3-1.29,0-2.08-.88-2.08-2.32s.81-2.35,2.08-2.35,2.01.86,2.01,2.27v.31h-3.18v.05c.03.79.49,1.29,1.2,1.29.54,0,.91-.19,1.07-.55h.86ZM44.81,12.03h2.27c-.02-.71-.45-1.17-1.11-1.17s-1.12.46-1.17,1.17ZM45.45,9.45l1.04-1.42h1.04l-1.16,1.42h-.92Z"/>
+          <path class="cls-2" d="M52.14,11.67c-.1-.44-.47-.76-1.06-.76-.74,0-1.2.57-1.2,1.53s.46,1.56,1.2,1.56c.56,0,.95-.26,1.06-.74h.86c-.12.91-.81,1.53-1.92,1.53-1.31,0-2.11-.88-2.11-2.35s.8-2.32,2.11-2.32c1.13,0,1.81.66,1.93,1.56h-.86Z"/>
+          <path class="cls-2" d="M53.92,12.45c0-1.45.81-2.34,2.12-2.34s2.12.88,2.12,2.34-.81,2.34-2.12,2.34-2.12-.88-2.12-2.34ZM57.25,12.45c0-.98-.44-1.55-1.21-1.55s-1.21.57-1.21,1.55.43,1.55,1.21,1.55,1.21-.57,1.21-1.55Z"/>
+          <path class="cls-2" d="M59.35,10.2h.86v.72h.07c.2-.51.65-.81,1.25-.81s1.04.32,1.24.81h.07c.23-.49.74-.81,1.37-.81.91,0,1.44.55,1.44,1.49v3.1h-.89v-2.87c0-.61-.29-.91-.87-.91s-.95.41-.95.94v2.83h-.87v-2.96c0-.51-.34-.82-.87-.82s-.95.44-.95,1.02v2.75h-.89v-4.5Z"/>
+          <path class="cls-2" d="M67.02,10.2h.86v.72h.07c.2-.51.65-.81,1.25-.81s1.04.32,1.24.81h.07c.23-.49.74-.81,1.37-.81.91,0,1.44.55,1.44,1.49v3.1h-.89v-2.87c0-.61-.29-.91-.87-.91s-.95.41-.95.94v2.83h-.87v-2.96c0-.51-.34-.82-.87-.82s-.95.44-.95,1.02v2.75h-.89v-4.5Z"/>
+          <path class="cls-2" d="M74.43,13.43c0-.81.6-1.28,1.67-1.34l1.22-.07v-.39c0-.48-.31-.74-.92-.74-.5,0-.84.18-.94.5h-.86c.09-.77.82-1.27,1.84-1.27,1.13,0,1.77.56,1.77,1.51v3.08h-.86v-.63h-.07c-.27.45-.76.71-1.35.71-.87,0-1.5-.52-1.5-1.35ZM77.33,13.04v-.38l-1.1.07c-.62.04-.9.25-.9.65s.35.64.83.64c.67,0,1.17-.43,1.17-.98Z"/>
+          <path class="cls-2" d="M79.6,10.2h.86v.72h.07c.22-.5.67-.8,1.34-.8,1,0,1.56.6,1.56,1.67v2.92h-.89v-2.69c0-.72-.31-1.08-.97-1.08s-1.08.44-1.08,1.14v2.63h-.89v-4.5Z"/>
+          <path class="cls-2" d="M84.58,12.45c0-1.42.73-2.32,1.87-2.32.62,0,1.14.29,1.38.79h.07v-2.47h.89v6.26h-.85v-.71h-.07c-.27.49-.79.79-1.41.79-1.15,0-1.87-.9-1.87-2.33ZM85.5,12.45c0,.96.45,1.53,1.2,1.53s1.21-.58,1.21-1.53-.47-1.53-1.21-1.53-1.2.58-1.2,1.53Z"/>
+          <path class="cls-2" d="M94.05,13.49c-.2.81-.92,1.3-1.95,1.3-1.29,0-2.08-.88-2.08-2.32s.81-2.35,2.08-2.35,2.01.86,2.01,2.27v.31h-3.18v.05c.03.79.49,1.29,1.2,1.29.54,0,.91-.19,1.07-.55h.86ZM90.92,12.03h2.27c-.02-.71-.45-1.17-1.11-1.17s-1.12.46-1.17,1.17Z"/>
+          <path class="cls-2" d="M95.3,10.2h.86v.69h.07c.13-.44.63-.77,1.22-.77.13,0,.3.01.4.04v.88c-.07-.02-.34-.05-.5-.05-.67,0-1.15.43-1.15,1.06v2.66h-.89v-4.5Z"/>
+          <path class="cls-2" d="M102.9,10.11c1.01,0,1.67.47,1.76,1.27h-.85c-.08-.33-.41-.54-.91-.54s-.87.24-.87.59c0,.27.23.44.72.55l.75.17c.86.2,1.26.57,1.26,1.23,0,.85-.79,1.41-1.87,1.41s-1.77-.48-1.85-1.28h.89c.11.35.44.56.98.56s.95-.25.95-.61c0-.27-.21-.44-.66-.55l-.79-.18c-.86-.2-1.25-.59-1.25-1.26,0-.8.73-1.36,1.75-1.36Z"/>
+          <path class="cls-2" d="M109.74,14.7h-.86v-.72h-.07c-.22.51-.68.8-1.36.8-1,0-1.55-.61-1.55-1.67v-2.92h.89v2.69c0,.73.29,1.08.95,1.08.72,0,1.11-.43,1.11-1.13v-2.63h.89v4.5Z"/>
+          <path class="cls-2" d="M111.16,10.2h.86v.69h.07c.13-.44.63-.77,1.22-.77.13,0,.3.01.4.04v.88c-.07-.02-.34-.05-.5-.05-.67,0-1.15.43-1.15,1.06v2.66h-.89v-4.5Z"/>
+        </g>
+      </g>
+      <g>
+        <path class="cls-2" d="M35.2,18.07h1.86v12.42h-1.86v-12.42Z"/>
+        <path class="cls-2" d="M39.3,22.61l1.02-4.54h1.81l-1.23,4.54h-1.59Z"/>
+        <path class="cls-2" d="M49.15,27.13h-4.73l-1.14,3.36h-2l4.48-12.42h2.08l4.48,12.42h-2.04l-1.14-3.36ZM44.9,25.58h3.75l-1.85-5.45h-.05l-1.85,5.45Z"/>
+        <path class="cls-2" d="M62,25.96c0,2.81-1.51,4.62-3.78,4.62-1.29,0-2.31-.58-2.85-1.58h-.04v4.48h-1.86v-12.05h1.8v1.51h.03c.52-.97,1.62-1.6,2.88-1.6,2.3,0,3.81,1.82,3.81,4.62ZM60.09,25.96c0-1.83-.95-3.04-2.39-3.04s-2.38,1.23-2.38,3.04.96,3.05,2.38,3.05,2.39-1.2,2.39-3.05Z"/>
+        <path class="cls-2" d="M71.97,25.96c0,2.81-1.51,4.62-3.78,4.62-1.29,0-2.31-.58-2.85-1.58h-.04v4.48h-1.86v-12.05h1.8v1.51h.03c.52-.97,1.62-1.6,2.88-1.6,2.3,0,3.81,1.82,3.81,4.62ZM70.06,25.96c0-1.83-.95-3.04-2.39-3.04s-2.38,1.23-2.38,3.04.96,3.05,2.38,3.05,2.39-1.2,2.39-3.05Z"/>
+        <path class="cls-2" d="M78.55,27.03c.14,1.23,1.33,2.04,2.97,2.04s2.69-.81,2.69-1.92c0-.96-.68-1.54-2.29-1.94l-1.61-.39c-2.28-.55-3.34-1.62-3.34-3.35,0-2.14,1.87-3.61,4.52-3.61s4.42,1.47,4.48,3.61h-1.88c-.11-1.24-1.14-1.99-2.63-1.99s-2.52.76-2.52,1.86c0,.88.65,1.39,2.25,1.79l1.37.34c2.55.6,3.61,1.63,3.61,3.44,0,2.32-1.85,3.78-4.79,3.78-2.75,0-4.61-1.42-4.73-3.67h1.9Z"/>
+        <path class="cls-2" d="M90.19,19.29v2.14h1.72v1.47h-1.72v4.99c0,.78.34,1.14,1.1,1.14.19,0,.49-.03.61-.04v1.46c-.21.05-.62.09-1.03.09-1.83,0-2.55-.69-2.55-2.44v-5.19h-1.32v-1.47h1.32v-2.14h1.87Z"/>
+        <path class="cls-2" d="M92.91,25.96c0-2.85,1.68-4.64,4.29-4.64s4.29,1.79,4.29,4.64-1.66,4.64-4.29,4.64-4.29-1.78-4.29-4.64ZM99.6,25.96c0-1.95-.9-3.11-2.4-3.11s-2.4,1.16-2.4,3.11.9,3.11,2.4,3.11,2.4-1.14,2.4-3.11Z"/>
+        <path class="cls-2" d="M103.03,21.43h1.77v1.54h.04c.28-1.02,1.11-1.64,2.18-1.64.27,0,.49.04.64.07v1.74c-.15-.06-.47-.11-.83-.11-1.2,0-1.94.81-1.94,2.08v5.37h-1.86v-9.05Z"/>
+        <path class="cls-2" d="M116.23,27.83c-.25,1.64-1.85,2.77-3.9,2.77-2.63,0-4.27-1.76-4.27-4.6s1.64-4.68,4.19-4.68,4.08,1.72,4.08,4.47v.64h-6.39v.11c0,1.55.97,2.56,2.44,2.56,1.03,0,1.84-.49,2.09-1.27h1.76ZM109.94,25.12h4.53c-.04-1.39-.93-2.3-2.22-2.3s-2.21.93-2.31,2.3Z"/>
+      </g>
+    </g>
+  </g>
+</svg>
--- a/note_kfet/static/img/playstore_badge_fr.svg
+++ b/note_kfet/static/img/playstore_badge_fr.svg
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <svg id="artwork" xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 135 40">
-  <!-- Generator: Adobe Illustrator 29.5.1, SVG Export Plug-In . SVG Version: 2.1.0 Build 141)  -->
+  <!-- Generator: Adobe Illustrator 29.2.1, SVG Export Plug-In . SVG Version: 2.1.0 Build 116)  -->
  <defs>
    <style>
      .st0 {
@@ -8,42 +8,56 @@
      }

      .st1 {
-        fill: #a6a6a6;
+        isolation: isolate;
      }

      .st2 {
-        fill: #34a853;
+        fill: #a6a6a6;
      }

      .st3 {
+        fill: #34a853;
+      }
+
+      .st4 {
        fill: #fbbc04;
      }

-      .st4, .st5 {
+      .st5 {
        fill: #fff;
      }

      .st6 {
        fill: #ea4335;
      }
-
-      .st5 {
-        font-family: GoogleSans-Medium, 'Google Sans';
-        font-size: 8.7px;
-        font-weight: 500;
-      }
    </style>
  </defs>
  <g>
    <rect width="135" height="40" rx="5" ry="5"/>
-    <path class="st1" d="M130,.8c2.316,0,4.2,1.884,4.2,4.2v30c0,2.316-1.884,4.2-4.2,4.2H5c-2.316,0-4.2-1.884-4.2-4.2V5C.8,2.684,2.684.8,5,.8h125M130,0H5C2.25,0,0,2.25,0,5v30c0,2.75,2.25,5,5,5h125c2.75,0,5-2.25,5-5V5C135,2.25,132.75,0,130,0h0Z"/>
-    <path class="st4" d="M68.136,21.752c-2.352,0-4.269,1.788-4.269,4.253,0,2.449,1.917,4.253,4.269,4.253s4.269-1.804,4.269-4.253c0-2.465-1.917-4.253-4.269-4.253ZM68.136,28.583c-1.289,0-2.4-1.063-2.4-2.578,0-1.531,1.112-2.578,2.4-2.578s2.4,1.047,2.4,2.578c0,1.514-1.112,2.578-2.4,2.578ZM58.822,21.752c-2.352,0-4.269,1.788-4.269,4.253,0,2.449,1.917,4.253,4.269,4.253s4.269-1.804,4.269-4.253c0-2.465-1.917-4.253-4.269-4.253ZM58.822,28.583c-1.289,0-2.4-1.063-2.4-2.578,0-1.531,1.112-2.578,2.4-2.578s2.4,1.047,2.4,2.578c0,1.514-1.112,2.578-2.4,2.578ZM47.744,23.057v1.804h4.318c-.129,1.015-.467,1.756-.983,2.272-.628.628-1.611,1.321-3.335,1.321-2.658,0-4.736-2.143-4.736-4.801s2.078-4.801,4.736-4.801c1.434,0,2.481.564,3.254,1.289l1.273-1.273c-1.079-1.031-2.513-1.82-4.527-1.82-3.641,0-6.702,2.964-6.702,6.605s3.061,6.605,6.702,6.605c1.965,0,3.448-.644,4.608-1.853,1.192-1.192,1.563-2.868,1.563-4.221,0-.419-.032-.805-.097-1.128h-6.074ZM93.052,24.458c-.354-.95-1.434-2.707-3.641-2.707-2.191,0-4.011,1.724-4.011,4.253,0,2.384,1.804,4.253,4.221,4.253,1.949,0,3.077-1.192,3.544-1.885l-1.45-.967c-.483.709-1.144,1.176-2.094,1.176s-1.627-.435-2.062-1.289l5.687-2.352-.193-.483ZM87.252,25.876c-.048-1.643,1.273-2.481,2.223-2.481.741,0,1.369.37,1.579.902l-3.802,1.579ZM82.628,30h1.869v-12.502h-1.869v12.502ZM79.567,22.702h-.064c-.419-.499-1.224-.951-2.239-.951-2.127,0-4.076,1.869-4.076,4.269,0,2.384,1.949,4.237,4.076,4.237,1.015,0,1.82-.451,2.239-.967h.064v.612c0,1.627-.87,2.497-2.272,2.497-1.144,0-1.853-.822-2.143-1.514l-1.627.677c.467,1.128,1.708,2.513,3.77,2.513,2.191,0,4.044-1.289,4.044-4.43v-7.636h-1.772v.693ZM77.425,28.583c-1.289,0-2.368-1.079-2.368-2.562,0-1.498,1.079-2.594,2.368-2.594,1.273,0,2.272,1.096,2.272,2.594,0,1.482-.999,2.562-2.272,2.562ZM101.806,17.499h-4.471v12.501h1.866v-4.736h2.605c2.068,0,4.101-1.497,4.101-3.883s-2.033-3.882-4.101-3.882ZM101.854,23.524h-2.654v-4.285h2.654c1.395,0,2.187,1.155,2.187,2.143,0,.969-.792,2.143-2.187,2.143ZM113.386,21.729c-1.351,0-2.75.595-3.329,1.914l1.657.692c.354-.692,1.013-.917,1.705-.917.965,0,1.946.579,1.962,1.608v.129c-.338-.193-1.061-.483-1.946-.483-1.785,0-3.603.981-3.603,2.815,0,1.673,1.463,2.75,3.104,2.75,1.254,0,1.946-.563,2.38-1.222h.064v.965h1.801v-4.793c0-2.22-1.657-3.458-3.796-3.458ZM113.16,28.58c-.611,0-1.464-.305-1.464-1.061,0-.965,1.061-1.335,1.978-1.335.82,0,1.206.177,1.705.418-.145,1.158-1.142,1.978-2.219,1.978ZM123.743,22.002l-2.139,5.42h-.064l-2.219-5.42h-2.01l3.329,7.575-1.898,4.214h1.946l5.131-11.789h-2.075ZM106.936,30h1.866v-12.501h-1.866v12.501Z"/>
+    <path class="st2" d="M130,.8c2.3,0,4.2,1.9,4.2,4.2v30c0,2.3-1.9,4.2-4.2,4.2H5c-2.3,0-4.2-1.9-4.2-4.2V5c0-2.3,1.9-4.2,4.2-4.2h125M130,0H5C2.2,0,0,2.2,0,5v30c0,2.8,2.2,5,5,5h125c2.8,0,5-2.2,5-5V5c0-2.8-2.2-5-5-5h0Z"/>
+    <path class="st5" d="M68.1,21.8c-2.4,0-4.3,1.8-4.3,4.3s1.9,4.3,4.3,4.3,4.3-1.8,4.3-4.3-1.9-4.3-4.3-4.3ZM68.1,28.6c-1.3,0-2.4-1.1-2.4-2.6s1.1-2.6,2.4-2.6,2.4,1,2.4,2.6-1.1,2.6-2.4,2.6ZM58.8,21.8c-2.4,0-4.3,1.8-4.3,4.3s1.9,4.3,4.3,4.3,4.3-1.8,4.3-4.3-1.9-4.3-4.3-4.3ZM58.8,28.6c-1.3,0-2.4-1.1-2.4-2.6s1.1-2.6,2.4-2.6,2.4,1,2.4,2.6-1.1,2.6-2.4,2.6ZM47.7,23.1v1.8h4.3c-.1,1-.5,1.8-1,2.3-.6.6-1.6,1.3-3.3,1.3-2.7,0-4.7-2.1-4.7-4.8s2.1-4.8,4.7-4.8,2.5.6,3.3,1.3l1.3-1.3c-1.1-1-2.5-1.8-4.5-1.8-3.6,0-6.7,3-6.7,6.6s3.1,6.6,6.7,6.6,3.4-.6,4.6-1.9c1.2-1.2,1.6-2.9,1.6-4.2s0-.8,0-1.1h-6.1,0ZM93.1,24.5c-.4-1-1.4-2.7-3.6-2.7s-4,1.7-4,4.3,1.8,4.3,4.2,4.3,3.1-1.2,3.5-1.9l-1.4-1c-.5.7-1.1,1.2-2.1,1.2s-1.6-.4-2.1-1.3l5.7-2.4-.2-.5h0ZM87.3,25.9c0-1.6,1.3-2.5,2.2-2.5s1.4.4,1.6.9c0,0-3.8,1.6-3.8,1.6ZM82.6,30h1.9v-12.5h-1.9v12.5ZM79.6,22.7h0c-.4-.5-1.2-1-2.2-1-2.1,0-4.1,1.9-4.1,4.3s1.9,4.2,4.1,4.2,1.8-.5,2.2-1h0v.6c0,1.6-.9,2.5-2.3,2.5s-1.9-.8-2.1-1.5l-1.6.7c.5,1.1,1.7,2.5,3.8,2.5s4-1.3,4-4.4v-7.6h-1.8s0,.7,0,.7ZM77.4,28.6c-1.3,0-2.4-1.1-2.4-2.6s1.1-2.6,2.4-2.6,2.3,1.1,2.3,2.6-1,2.6-2.3,2.6ZM101.8,17.5h-4.5v12.5h1.9v-4.7h2.6c2.1,0,4.1-1.5,4.1-3.9s-2-3.9-4.1-3.9ZM101.9,23.5h-2.7v-4.3h2.7c1.4,0,2.2,1.2,2.2,2.1s-.8,2.1-2.2,2.1h0ZM113.4,21.7c-1.4,0-2.8.6-3.3,1.9l1.7.7c.4-.7,1-.9,1.7-.9s1.9.6,2,1.6h0c-.3,0-1.1-.4-1.9-.4-1.8,0-3.6,1-3.6,2.8s1.5,2.8,3.1,2.8,1.9-.6,2.4-1.2h0v1h1.8v-4.8c0-2.2-1.7-3.5-3.8-3.5h0ZM113.2,28.6c-.6,0-1.5-.3-1.5-1.1s1.1-1.3,2-1.3,1.2.2,1.7.4c-.1,1.2-1.1,2-2.2,2ZM123.7,22l-2.1,5.4h0l-2.2-5.4h-2l3.3,7.6-1.9,4.2h1.9l5.1-11.8h-2.1ZM106.9,30h1.9v-12.5h-1.9v12.5Z"/>
    <g>
-      <path class="st6" d="M20.717,19.424l-10.647,11.3s.001.005.002.007c.327,1.227,1.447,2.13,2.777,2.13.531,0,1.031-.144,1.459-.396l.034-.02,11.984-6.915-5.609-6.106Z"/>
-      <path class="st3" d="M31.488,17.5l-.01-.007-5.174-3-5.829,5.187,5.849,5.848,5.146-2.969c.902-.487,1.515-1.438,1.515-2.535,0-1.09-.604-2.036-1.498-2.525Z"/>
-      <path class="st0" d="M10.07,9.277c-.064.236-.098.484-.098.74v19.968c0,.256.033.504.098.739l11.013-11.011-11.013-10.436Z"/>
-      <path class="st2" d="M20.796,20.001l5.51-5.509-11.97-6.94c-.435-.261-.943-.411-1.486-.411-1.33,0-2.452.905-2.779,2.134,0,0,0,.002,0,.003l10.726,10.724Z"/>
+      <path class="st6" d="M20.7,19.4l-10.6,11.3s0,0,0,0c.3,1.2,1.4,2.1,2.8,2.1s1-.1,1.5-.4h0s12-6.9,12-6.9l-5.6-6.1Z"/>
+      <path class="st4" d="M31.5,17.5h0s-5.2-3-5.2-3l-5.8,5.2,5.8,5.8,5.1-3c.9-.5,1.5-1.4,1.5-2.5s-.6-2-1.5-2.5h0Z"/>
+      <path class="st0" d="M10.1,9.3c0,.2,0,.5,0,.7v20c0,.3,0,.5,0,.7l11-11s-11-10.4-11-10.4Z"/>
+      <path class="st3" d="M20.8,20l5.5-5.5-12-6.9c-.4-.3-.9-.4-1.5-.4-1.3,0-2.5.9-2.8,2.1h0s10.7,10.7,10.7,10.7h0Z"/>
+    </g>
+  </g>
+  <g class="st1">
+    <g class="st1">
+      <path class="st5" d="M41.8,6.9h2c.6,0,1.2.1,1.7.4s.9.6,1.1,1.1c.3.5.4,1,.4,1.6s-.1,1.1-.4,1.6c-.3.5-.6.8-1.1,1.1s-1,.4-1.7.4h-2v-6.2ZM43.8,12.2c.7,0,1.2-.2,1.6-.6.4-.4.6-.9.6-1.6s-.2-1.2-.6-1.6c-.4-.4-.9-.6-1.6-.6h-1v4.4h1Z"/>
+      <path class="st5" d="M48.1,6.9h1v6.2h-1v-6.2Z"/>
+      <path class="st5" d="M50.9,12.8c-.4-.3-.7-.7-.9-1.3l.9-.4c0,.3.3.6.5.8s.5.3.8.3.6,0,.8-.2c.2-.2.3-.4.3-.7s0-.5-.3-.6-.5-.3-1-.5h-.4c-.4-.3-.8-.5-1.1-.8-.3-.3-.4-.6-.4-1.1s0-.6.3-.9c.2-.3.4-.5.7-.6.3-.2.6-.2,1-.2.5,0,1,.1,1.3.4s.5.6.7.9l-.9.4c0-.2-.2-.4-.4-.5-.2-.2-.4-.2-.7-.2s-.5,0-.7.2-.3.3-.3.6,0,.4.3.5c.2.1.4.3.8.4h.4c.5.3.9.6,1.2.9s.4.7.4,1.2-.1.7-.3,1c-.2.3-.5.5-.8.6-.3.1-.7.2-1,.2-.5,0-1-.2-1.4-.5Z"/>
+      <path class="st5" d="M55.5,6.9h2.2c.4,0,.7,0,1,.2.3.2.6.4.7.7s.3.6.3,1,0,.7-.3,1-.4.5-.7.7c-.3.2-.6.2-1,.2h-1.2v2.4h-1v-6.2ZM57.7,9.8c.2,0,.4,0,.6-.1.2,0,.3-.2.4-.4,0-.2.1-.3.1-.5s0-.3-.1-.5c0-.2-.2-.3-.4-.4-.2,0-.3-.1-.6-.1h-1.2v2h1.2Z"/>
+      <path class="st5" d="M61.9,12.8c-.5-.3-.9-.7-1.2-1.2-.3-.5-.4-1-.4-1.6s.1-1.1.4-1.6c.3-.5.7-.9,1.2-1.2.5-.3,1-.4,1.6-.4s1.1.1,1.6.4c.5.3.9.7,1.2,1.2.3.5.4,1,.4,1.6s-.1,1.1-.4,1.6c-.3.5-.7.9-1.2,1.2-.5.3-1,.4-1.6.4s-1.2-.1-1.6-.4ZM64.6,12c.3-.2.6-.5.8-.8.2-.4.3-.8.3-1.2s0-.9-.3-1.2-.5-.6-.8-.8-.7-.3-1.1-.3-.8,0-1.1.3c-.3.2-.6.5-.8.8s-.3.8-.3,1.2.1.9.3,1.2c.2.4.5.6.8.8.3.2.7.3,1.1.3s.8,0,1.1-.3Z"/>
+      <path class="st5" d="M67.9,6.9h1.2l2.8,4.5h0v-1.2c0,0,0-3.3,0-3.3h1v6.2h-1l-2.9-4.8h0v1.2c0,0,0,3.6,0,3.6h-1v-6.2Z"/>
+      <path class="st5" d="M74.2,6.9h1v6.2h-1v-6.2Z"/>
+      <path class="st5" d="M76.6,6.9h2.3c.3,0,.6,0,.9.2.3.1.5.3.7.6.2.3.3.5.3.8s0,.6-.2.8c-.2.2-.4.4-.6.5h0c.3.2.6.3.8.6s.3.6.3.9,0,.6-.3.9c-.2.3-.4.5-.7.6-.3.1-.6.2-1,.2h-2.4v-6.2ZM78.9,9.5c.3,0,.5,0,.7-.3.2-.2.3-.4.3-.6s0-.4-.2-.6c-.2-.2-.4-.3-.6-.3h-1.4v1.7h1.3ZM79,12.2c.3,0,.5,0,.7-.3.2-.2.3-.4.3-.6s0-.5-.3-.6c-.2-.2-.4-.3-.7-.3h-1.4v1.8h1.5Z"/>
+      <path class="st5" d="M82,6.9h1v5.3h2.7v.9h-3.6v-6.2Z"/>
+      <path class="st5" d="M86.7,6.9h3.8v.9h-2.8v1.7h2.5v.9h-2.5v1.7h2.8v.9h-3.8v-6.2Z"/>
+      <path class="st5" d="M93.9,12.8c-.4-.3-.7-.7-.9-1.3l.9-.4c0,.3.3.6.5.8.2.2.5.3.8.3s.6,0,.8-.2c.2-.2.3-.4.3-.7s0-.5-.3-.6-.5-.3-1-.5h-.4c-.4-.3-.8-.5-1.1-.8-.3-.3-.4-.6-.4-1.1s0-.6.3-.9.4-.5.7-.6.6-.2,1-.2c.5,0,1,.1,1.3.4.3.3.5.6.7.9l-.9.4c0-.2-.2-.4-.4-.5-.2-.2-.4-.2-.7-.2s-.5,0-.7.2-.3.3-.3.6,0,.4.3.5c.2.1.4.3.8.4h.4c.5.3.9.6,1.2.9s.4.7.4,1.2-.1.7-.3,1c-.2.3-.5.5-.8.6-.3.1-.7.2-1,.2-.5,0-1-.2-1.4-.5Z"/>
+      <path class="st5" d="M99.5,13c-.4-.2-.6-.5-.8-.9s-.3-.8-.3-1.3v-3.8h1v3.9c0,.5.1.8.4,1.1s.6.4,1,.4.8-.1,1-.4c.2-.3.4-.7.4-1.1v-3.9h1v3.8c0,.5,0,.9-.3,1.3s-.5.7-.8.9c-.4.2-.8.3-1.3.3s-.9-.1-1.2-.3Z"/>
+      <path class="st5" d="M104.4,6.9h2.2c.4,0,.7,0,1,.2.3.2.5.4.7.7.2.3.3.6.3,1s-.1.8-.4,1.1c-.3.3-.6.5-1,.7h0s1.7,2.5,1.7,2.5h0c0,0-1.1,0-1.1,0l-1.6-2.4h-.7v2.4h-1v-6.2ZM106.5,9.8c.3,0,.5,0,.7-.3s.3-.4.3-.7,0-.3-.1-.5c0-.2-.2-.3-.3-.4-.2,0-.3-.1-.5-.1h-1.2v2h1.2Z"/>
    </g>
  </g>
-  <text class="st5" transform="translate(41.08 13.134)"><tspan x="0" y="0">DISPONIBLE SUR</tspan></text>
 </svg>
--- a/note_kfet/static/img/playstore_badge_fr_preorder.svg
+++ b/note_kfet/static/img/playstore_badge_fr_preorder.svg
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="artwork" xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 135 40">
+  <!-- Generator: Adobe Illustrator 29.2.1, SVG Export Plug-In . SVG Version: 2.1.0 Build 116)  -->
+  <defs>
+    <style>
+      .st0 {
+        fill: #4285f4;
+      }
+
+      .st1 {
+        isolation: isolate;
+      }
+
+      .st2 {
+        fill: #a6a6a6;
+      }
+
+      .st3 {
+        fill: #34a853;
+      }
+
+      .st4 {
+        fill: #fbbc04;
+      }
+
+      .st5 {
+        fill: #fff;
+      }
+
+      .st6 {
+        fill: #ea4335;
+      }
+    </style>
+  </defs>
+  <g>
+    <rect width="135" height="40" rx="5" ry="5"/>
+    <path class="st2" d="M130,.8c2.3,0,4.2,1.9,4.2,4.2v30c0,2.3-1.9,4.2-4.2,4.2H5c-2.3,0-4.2-1.9-4.2-4.2V5c0-2.3,1.9-4.2,4.2-4.2h125M130,0H5C2.2,0,0,2.2,0,5v30c0,2.8,2.2,5,5,5h125c2.8,0,5-2.2,5-5V5c0-2.8-2.2-5-5-5h0Z"/>
+    <path class="st5" d="M68.1,21.8c-2.4,0-4.3,1.8-4.3,4.3s1.9,4.3,4.3,4.3,4.3-1.8,4.3-4.3-1.9-4.3-4.3-4.3ZM68.1,28.6c-1.3,0-2.4-1.1-2.4-2.6s1.1-2.6,2.4-2.6,2.4,1,2.4,2.6-1.1,2.6-2.4,2.6ZM58.8,21.8c-2.4,0-4.3,1.8-4.3,4.3s1.9,4.3,4.3,4.3,4.3-1.8,4.3-4.3-1.9-4.3-4.3-4.3ZM58.8,28.6c-1.3,0-2.4-1.1-2.4-2.6s1.1-2.6,2.4-2.6,2.4,1,2.4,2.6-1.1,2.6-2.4,2.6ZM47.7,23.1v1.8h4.3c-.1,1-.5,1.8-1,2.3-.6.6-1.6,1.3-3.3,1.3-2.7,0-4.7-2.1-4.7-4.8s2.1-4.8,4.7-4.8,2.5.6,3.3,1.3l1.3-1.3c-1.1-1-2.5-1.8-4.5-1.8-3.6,0-6.7,3-6.7,6.6s3.1,6.6,6.7,6.6,3.4-.6,4.6-1.9c1.2-1.2,1.6-2.9,1.6-4.2s0-.8,0-1.1h-6.1,0ZM93.1,24.5c-.4-1-1.4-2.7-3.6-2.7s-4,1.7-4,4.3,1.8,4.3,4.2,4.3,3.1-1.2,3.5-1.9l-1.4-1c-.5.7-1.1,1.2-2.1,1.2s-1.6-.4-2.1-1.3l5.7-2.4-.2-.5h0ZM87.3,25.9c0-1.6,1.3-2.5,2.2-2.5s1.4.4,1.6.9c0,0-3.8,1.6-3.8,1.6ZM82.6,30h1.9v-12.5h-1.9v12.5ZM79.6,22.7h0c-.4-.5-1.2-1-2.2-1-2.1,0-4.1,1.9-4.1,4.3s1.9,4.2,4.1,4.2,1.8-.5,2.2-1h0v.6c0,1.6-.9,2.5-2.3,2.5s-1.9-.8-2.1-1.5l-1.6.7c.5,1.1,1.7,2.5,3.8,2.5s4-1.3,4-4.4v-7.6h-1.8s0,.7,0,.7ZM77.4,28.6c-1.3,0-2.4-1.1-2.4-2.6s1.1-2.6,2.4-2.6,2.3,1.1,2.3,2.6-1,2.6-2.3,2.6ZM101.8,17.5h-4.5v12.5h1.9v-4.7h2.6c2.1,0,4.1-1.5,4.1-3.9s-2-3.9-4.1-3.9ZM101.9,23.5h-2.7v-4.3h2.7c1.4,0,2.2,1.2,2.2,2.1s-.8,2.1-2.2,2.1h0ZM113.4,21.7c-1.4,0-2.8.6-3.3,1.9l1.7.7c.4-.7,1-.9,1.7-.9s1.9.6,2,1.6h0c-.3,0-1.1-.4-1.9-.4-1.8,0-3.6,1-3.6,2.8s1.5,2.8,3.1,2.8,1.9-.6,2.4-1.2h0v1h1.8v-4.8c0-2.2-1.7-3.5-3.8-3.5h0ZM113.2,28.6c-.6,0-1.5-.3-1.5-1.1s1.1-1.3,2-1.3,1.2.2,1.7.4c-.1,1.2-1.1,2-2.2,2ZM123.7,22l-2.1,5.4h0l-2.2-5.4h-2l3.3,7.6-1.9,4.2h1.9l5.1-11.8h-2.1ZM106.9,30h1.9v-12.5h-1.9v12.5Z"/>
+    <g>
+      <path class="st6" d="M20.7,19.4l-10.6,11.3s0,0,0,0c.3,1.2,1.4,2.1,2.8,2.1s1-.1,1.5-.4h0s12-6.9,12-6.9l-5.6-6.1Z"/>
+      <path class="st4" d="M31.5,17.5h0s-5.2-3-5.2-3l-5.8,5.2,5.8,5.8,5.1-3c.9-.5,1.5-1.4,1.5-2.5s-.6-2-1.5-2.5h0Z"/>
+      <path class="st0" d="M10.1,9.3c0,.2,0,.5,0,.7v20c0,.3,0,.5,0,.7l11-11s-11-10.4-11-10.4Z"/>
+      <path class="st3" d="M20.8,20l5.5-5.5-12-6.9c-.4-.3-.9-.4-1.5-.4-1.3,0-2.5.9-2.8,2.1h0s10.7,10.7,10.7,10.7h0Z"/>
+    </g>
+  </g>
+  <g class="st1">
+    <g class="st1">
+      <path class="st5" d="M42.1,12.8c-.4-.3-.6-.7-.8-1.2l.8-.3c0,.3.2.6.5.8.2.2.5.3.8.3s.5,0,.7-.2c.2-.1.3-.3.3-.6s0-.4-.3-.6c-.2-.2-.5-.3-.9-.5h-.4c-.4-.3-.7-.5-1-.7-.3-.3-.4-.6-.4-1s0-.5.2-.8c.2-.2.4-.4.6-.6.3-.1.6-.2.9-.2.5,0,.9.1,1.2.4.3.2.5.5.6.8l-.8.3c0-.2-.2-.3-.3-.5s-.4-.2-.6-.2-.5,0-.7.2c-.2.1-.3.3-.3.5s0,.4.2.5c.2.1.4.3.8.4h.4c.5.3.9.5,1.1.8.3.3.4.6.4,1.1s0,.7-.3.9c-.2.3-.4.4-.7.6-.3.1-.6.2-.9.2-.5,0-.9-.1-1.3-.4Z"/>
+      <path class="st5" d="M46.4,7.4h3.5v.9h-2.6v1.6h2.3v.8h-2.3v1.6h2.6v.9h-3.5v-5.7Z"/>
+      <path class="st5" d="M52.8,7.4h2c.3,0,.6,0,.9.2.3.1.5.4.7.6s.3.6.3.9,0,.6-.3.9-.4.5-.7.6c-.3.1-.6.2-.9.2h-1.1v2.2h-.9v-5.7ZM54.8,10.1c.2,0,.4,0,.5-.1s.3-.2.3-.3.1-.3.1-.4,0-.3-.1-.4-.2-.2-.3-.3c-.1,0-.3-.1-.5-.1h-1.1v1.8h1.1Z"/>
+      <path class="st5" d="M57.6,7.4h2c.3,0,.7,0,.9.2s.5.4.7.6.2.6.2.9-.1.7-.4,1-.6.5-.9.6h0s1.6,2.3,1.6,2.3h0s-1,0-1,0l-1.5-2.2h-.7v2.2h-.9v-5.7ZM59.6,10.1c.3,0,.5,0,.7-.3.2-.2.3-.4.3-.7s0-.3-.1-.4-.2-.3-.3-.3-.3-.1-.5-.1h-1.1v1.8h1.1Z"/>
+      <path class="st5" d="M62.5,7.4h3.5v.9h-2.6v1.6h2.3v.8h-2.3v1.6h2.6v.9h-3.5v-5.7ZM64.2,5.9h1l-.6,1.1h-.7l.4-1.1Z"/>
+      <path class="st5" d="M67.1,7.4h.9v5.7h-.9v-5.7Z"/>
+      <path class="st5" d="M69.3,7.4h1.1l2.6,4.2h0v-1.1s0-3.1,0-3.1h.9v5.7h-.9l-2.7-4.4h0v1.1s0,3.3,0,3.3h-.9v-5.7Z"/>
+      <path class="st5" d="M75.5,12.8c-.4-.3-.6-.7-.8-1.2l.8-.3c0,.3.2.6.5.8.2.2.5.3.8.3s.5,0,.7-.2c.2-.1.3-.3.3-.6s0-.4-.3-.6c-.2-.2-.5-.3-.9-.5h-.4c-.4-.3-.7-.5-1-.7s-.4-.6-.4-1,0-.5.2-.8c.2-.2.4-.4.6-.6.3-.1.6-.2.9-.2.5,0,.9.1,1.2.4.3.2.5.5.6.8l-.8.3c0-.2-.2-.3-.3-.5-.2-.1-.4-.2-.6-.2s-.5,0-.7.2c-.2.1-.3.3-.3.5s0,.4.2.5.4.3.8.4h.4c.5.3.9.5,1.1.8.3.3.4.6.4,1.1s0,.7-.3.9c-.2.3-.4.4-.7.6-.3.1-.6.2-.9.2-.5,0-.9-.1-1.3-.4Z"/>
+      <path class="st5" d="M80.9,12.9c-.5-.3-.8-.6-1.1-1.1s-.4-1-.4-1.5.1-1.1.4-1.5.6-.8,1.1-1.1,1-.4,1.5-.4.8,0,1.2.2c.4.2.7.4.9.7l-.6.6c-.2-.2-.4-.4-.7-.5-.2-.1-.5-.2-.8-.2s-.7,0-1.1.3c-.3.2-.6.4-.8.7-.2.3-.3.7-.3,1.1s0,.8.3,1.1c.2.3.4.6.8.7s.7.3,1.1.3c.6,0,1.2-.3,1.6-.8l.6.6c-.3.3-.6.6-1,.8-.4.2-.8.3-1.3.3s-1.1-.1-1.5-.4Z"/>
+      <path class="st5" d="M85.7,7.4h2c.3,0,.7,0,.9.2.3.1.5.4.7.6.2.3.2.6.2.9s-.1.7-.4,1-.6.5-.9.6h0s1.6,2.3,1.6,2.3h0s-1,0-1,0l-1.5-2.2h-.7v2.2h-.9v-5.7ZM87.7,10.1c.3,0,.5,0,.7-.3.2-.2.3-.4.3-.7s0-.3-.1-.4c0-.1-.2-.3-.3-.3s-.3-.1-.5-.1h-1.1v1.8h1.1Z"/>
+      <path class="st5" d="M90.6,7.4h.9v5.7h-.9v-5.7Z"/>
+      <path class="st5" d="M92.8,7.4h2c.3,0,.7,0,.9.2.3.1.5.4.7.6.2.3.2.6.2.9s-.1.7-.4,1-.6.5-.9.6h0s1.6,2.3,1.6,2.3h0s-1,0-1,0l-1.5-2.2h-.7v2.2h-.9v-5.7ZM94.8,10.1c.3,0,.5,0,.7-.3s.3-.4.3-.7,0-.3-.1-.4c0-.1-.2-.3-.3-.3s-.3-.1-.5-.1h-1.1v1.8h1.1Z"/>
+      <path class="st5" d="M97.7,7.4h3.5v.9h-2.6v1.6h2.3v.8h-2.3v1.6h2.6v.9h-3.5v-5.7Z"/>
+      <path class="st5" d="M104.3,12.8c-.4-.3-.6-.7-.8-1.2l.8-.3c0,.3.2.6.5.8.2.2.5.3.8.3s.5,0,.7-.2c.2-.1.3-.3.3-.6s0-.4-.3-.6c-.2-.2-.5-.3-.9-.5h-.4c-.4-.3-.7-.5-1-.7s-.4-.6-.4-1,0-.5.2-.8c.2-.2.4-.4.6-.6.3-.1.6-.2.9-.2.5,0,.9.1,1.2.4.3.2.5.5.6.8l-.8.3c0-.2-.2-.3-.3-.5-.2-.1-.4-.2-.6-.2s-.5,0-.7.2c-.2.1-.3.3-.3.5s0,.4.2.5.4.3.8.4h.4c.5.3.9.5,1.1.8.3.3.4.6.4,1.1s0,.7-.3.9c-.2.3-.4.4-.7.6-.3.1-.6.2-.9.2-.5,0-.9-.1-1.3-.4Z"/>
+      <path class="st5" d="M109.5,13c-.3-.2-.6-.5-.8-.8-.2-.4-.3-.8-.3-1.2v-3.5h.9v3.6c0,.4.1.8.3,1,.2.3.5.4.9.4s.7-.1.9-.4c.2-.3.3-.6.3-1v-3.6h.9v3.5c0,.5,0,.9-.3,1.2-.2.4-.4.6-.8.8-.3.2-.7.3-1.2.3s-.8,0-1.1-.3Z"/>
+      <path class="st5" d="M114,7.4h2c.3,0,.7,0,.9.2.3.1.5.4.7.6.2.3.2.6.2.9s-.1.7-.4,1-.6.5-.9.6h0s1.6,2.3,1.6,2.3h0s-1,0-1,0l-1.5-2.2h-.7v2.2h-.9v-5.7ZM116,10.1c.3,0,.5,0,.7-.3s.3-.4.3-.7,0-.3-.1-.4c0-.1-.2-.3-.3-.3s-.3-.1-.5-.1h-1.1v1.8h1.1Z"/>
+    </g>
+  </g>
+</svg>
--- a/note_kfet/templates/registration/login.html
+++ b/note_kfet/templates/registration/login.html
@@ -41,14 +41,20 @@ SPDX-License-Identifier: GPL-2.0-or-later
        </form>

        <div class="text-center mt-4">
+            {% now "Ymd" as current_date_str %}
+
+            {% if display_appstore_badge %}
            <a href="https://apps.apple.com/fr/app/la-note-kfet/id6754661723" class="d-inline-block mx-1" aria-label="{% trans 'Download on the AppStore' %}" style="cursor: pointer;">
-                <img src="/static/img/appstore_badge_fr.svg"
+                <img src="{% static 'img/' %}{% if current_date_str < '20260201' %}appstore_badge_fr_preorder.svg{% else %}appstore_badge_fr.svg{% endif %}"
                     alt="{% trans 'Download on the AppStore' %}" style="height: 50px;">
            </a>
+            {% endif %}
+            {% if display_playstore_badge %}
            <a href="https://play.google.com/store/apps/details?id=org.crans.bde.note&hl=fr" class="d-inline-block mx-1" aria-label="{% trans 'Get it on Google Play' %}" style="cursor: pointer;">
-                <img src="/static/img/playstore_badge_fr.svg"
+                <img src="{% static 'img/' %}{% if current_date_str < '20260201' %}playstore_badge_fr_preorder.svg{% else %}playstore_badge_fr.svg{% endif %}"
                     alt="{% trans 'Get it on Google Play' %}" style="height: 50px;">
            </a>
+            {% endif %}
        </div>
    </div>
 </div>
Author	SHA1	Message	Date
quark	0240ea5388	Merge branch 'oauth2' into 'main' Oauth2 See merge request bde/nk20!360	2025-11-15 20:41:57 +01:00
quark	13171899c2	translations	2025-11-13 16:00:05 +01:00
quark	dacedbff20	Merge branch 'main' into oauth2	2025-11-13 15:53:39 +01:00
quark	a61a4667b9	docs	2025-11-10 18:07:32 +01:00
quark	9998189dbf	token access	2025-11-09 14:48:29 +01:00
quark	08593700fc	implicit flow #137	2025-11-09 11:18:11 +01:00
quark	54d28b30e5	Authorization Code Flow #137	2025-11-08 23:12:42 +01:00
quark	c09f133652	ropb implementation #137	2025-11-07 18:46:55 +01:00
quark	bfd50e3cd5	Client Credential Flow implementation	2025-11-07 15:49:01 +01:00
quark	68341a2a7e	Add test for oauth2 flow, add temporary ROPB for NoteApp #137	2025-11-07 10:41:10 +01:00
alexismdr	7af3c42a02	Merge branch 'app_download_links' into 'main' apps: add download links on login page See merge request bde/nk20!358	2025-11-04 11:30:58 +01:00
alexismdr	73b63186fd	fix: remove margin below App Store preorder badge	2025-11-04 09:18:27 +01:00
Alexis Mercier des Rochettes	e119e2295c	apps: add preorder badges * add appstore_badge_fr_preorder.svg static asset * add playstore_badge_fr_preorder.svg static asset * now displays preorder badges instead of download before 01 feb 2026 (estimated availability date)	2025-11-01 17:21:53 +01:00
Alexis Mercier des Rochettes	37beb8f421	apps: fix playstore badge google sans font	2025-11-01 16:54:42 +01:00
Alexis Mercier des Rochettes	cae86bcd46	apps: display appstore badges based on UA * on iPhone, only AppStore badge displays * on Android, only PlayStore badge displays * on any other platform, both display	2025-11-01 16:24:34 +01:00
ehouarn	74aee64161	Merge branch 'small_features' into 'main' Small features See merge request bde/nk20!359	2025-10-31 23:50:58 +01:00
Ehouarn	206a967827	Permissions fixed	2025-10-31 21:53:35 +01:00
Ehouarn	69aedccbae	Get rid of activity and guests duplicates	2025-10-19 23:58:41 +02:00
quark	d2cc1b902d	allows mask for Oauth2	2025-10-17 17:45:41 +02:00