Perform Dependency Upgrades and System Fixes (#248)

* fix issue internal error when preview mail and send mail without template

* remove unused lib slimit and upgrade jquery to latest version 3.7.1

* update fabric version

* Upgrade package-lock to v2

* Get rid of unmaintained dependency python-u2flib-server

* Upgrade NodeJS to latest version 22.x

* upgrade version in package.json

* Update webauthn requirement from to ==2.0

* Upgrade celery to 5.4.*

* chardet to 5.2.*

* css-inline to 0.14.*

* django-bootstrap3 to 24.2

* django-compressor to 4.5,

* Perform Dependency Upgrades

* Perform Dependency Upgrades

* upgrade hijack version

* fix isort

* update docs

* downgrade stripe to version compability with stripe plugin

---------

Co-authored-by: odkhang <[email protected]>

Dockerfile

@@ -2,6 +2,7 @@ FROM python:3.11-bookworm
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
+            curl \
             build-essential \
             gettext \
             git \
@@ -19,8 +20,9 @@ RUN apt-get update && \
             sudo \
             supervisor \
             zlib1g-dev \
-            npm \
-            nodejs && \
+            npm && \
+    curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
+    apt-get install -y nodejs && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
     dpkg-reconfigure locales && \

doc/admin/scaling.rst

@@ -233,4 +233,4 @@ throughput. If you want to use pretix for an event with 10,000+ tickets that are
 within minutes, please get in touch to discuss possible solutions. We'll work something out for you!
 
 
-.. _object storage cluster: https://behind.eventyay.com/2018/03/20/high-available-cdn/
+.. _object storage cluster: https://behind.pretix.eu/2018/03/20/high-available-cdn/

pyproject.toml

@@ -20,49 +20,47 @@ classifiers = [
 ]
 dependencies = [
         'Django==4.2.*',
-        'djangorestframework==3.14.*',
-        'python-dateutil==2.8.*',
+        'djangorestframework==3.15.*',
+        'python-dateutil==2.9.*',
         'isoweek',
         'requests==2.31.*',
         'pytz',
-        'django-bootstrap3==23.1.*',
+        'django-bootstrap3==24.2',
         'django-formset-js-improved==0.5.0.3',
-        'django-compressor==4.3.*',
-        'django-hierarkey==1.1.*',
-        'django-filter==23.2',
+        'django-compressor==4.5',
+        'django-hierarkey==1.2.*',
+        'django-filter==24.2',
         'django-scopes==2.0.*',
         'django-localflavor==4.0',
-        'reportlab==4.0.*',
-        'Pillow==9.5.*',
+        'reportlab==4.2.*',
+        'Pillow==10.4.*',
         'pypdf==4.2.*',
         'django-libsass==0.9',
-        'libsass==0.22.*',
-        'django-otp==1.2.*',
-        'webauthn==0.4.*',
-        'python-u2flib-server==4.*',
-        'django-formtools==2.4.1',
-        'celery==5.3.*',
+        'libsass==0.23.*',
+        'django-otp==1.5.*',
+        'webauthn==2.2.*',
+        'django-formtools==2.5.1',
+        "celery==5.4.*",
         'kombu==5.3.*',
-        'django-statici18n==2.3.*',
-        'css-inline==0.8.*',
+        'django-statici18n==2.5.*',
+        'css-inline==0.14.*',
         'BeautifulSoup4==4.12.*',
-        'slimit',
         'lxml',
         'static3==0.7.*',
         'dj-static',
         'csscompressor',
         'django-markup',
-        'markdown==3.4.3',
+        'markdown==3.6',
         'bleach==5.0.*',
         'sentry-sdk==1.15.*',
         'babel',
         'paypalrestsdk==1.13.*',
-        'pycparser==2.21',
+        'pycparser==2.22',
         'django-redis==5.4.*',
         'redis==5.0.*',
-        'fakeredis==2.18.*',
+        'fakeredis==2.23.*',
         'stripe==5.4.*',
-        'chardet==5.1.*',
+        'chardet==5.2.*',
         'mt-940==4.30.*',
         'django-i18nfield==1.9.*,>=1.9.4',
         'psycopg2-binary==2.9.9',
@@ -74,26 +72,26 @@ dependencies = [
         'defusedcsv>=1.1.0',
         'vat_moss_forked==2020.3.20.0.11.0',
         'jsonschema',
-        'django-hijack==2.*',
+        'django-hijack==3.5.*',
         'openpyxl==3.1.*',
         'django-oauth-toolkit==2.4.*',
         'oauthlib==3.2.*',
-        'django-phonenumber-field==7.1.*',
+        'django-phonenumber-field==7.3.*',
         'phonenumberslite==8.13.*',
         'python-bidi==0.4.*',  # Support for Arabic in reportlab
         'arabic-reshaper==3.0.0',  # Support for Arabic in reportlab
         'packaging',
         'tlds>=2020041600',
         'text-unidecode==1.*',
-        'protobuf==4.23.*',
+        'protobuf==5.27.*',
         'cryptography>=3.4.2',
         'pycryptodome==3.20.*',
         'sepaxml==2.6.*',
         'geoip2==4.*',
         'paypalhttp==1.*',
         'eventyay-stripe @ git+https://[email protected]/fossasia/eventyay-tickets-stripe.git@master',
         'sendgrid==6.11.*',
-        'importlib_metadata==7.*',
+        'importlib_metadata==8.*',
         'qrcode==7.4.*',
         'pretix-pages @ git+https://github.com/fossasia/eventyay-ticket-pages.git@master',
         'pretix-venueless @ git+https://github.com/fossasia/eventyay-ticket-video.git@master',
@@ -105,18 +103,18 @@ dependencies = [
 memcached = ["pylibmc"]
 dev = [
             'django-debug-toolbar==4.0.*',
-            'pycodestyle==2.10.*',
-            'pyflakes==3.0.*',
-            'flake8==6.0.*',
-            'pep8-naming==0.13.*',
+            'pycodestyle==2.12.*',
+            'pyflakes==3.2.*',
+            'flake8==7.1.*',
+            'pep8-naming==0.14.*',
             'coveralls',
             'coverage',
-            'pytest==7.3.*',
+            'pytest==8.2.*',
             'pytest-django==4.*',
-            'pytest-xdist==3.3.*',
-            'isort==5.12.*',
-            'pytest-mock==3.10.*',
-            'pytest-rerunfailures==11.*',
+            'pytest-xdist==3.6.*',
+            'isort==5.13.*',
+            'pytest-mock==3.14.*',
+            'pytest-rerunfailures==14.*',
             'responses',
             'potypo',
             'freezegun',

src/pretix/base/models/auth.py

@@ -1,9 +1,7 @@
 import binascii
 import json
 from datetime import timedelta
-from urllib.parse import urlparse
 
-import webauthn
 from django.conf import settings
 from django.contrib.auth.models import (
     AbstractBaseUser, BaseUserManager, PermissionsMixin,
@@ -17,13 +15,12 @@
 from django.utils.translation import gettext_lazy as _
 from django_otp.models import Device
 from django_scopes import scopes_disabled
-from u2flib_server.utils import (
-    pub_key_from_der, websafe_decode, websafe_encode,
-)
+from webauthn.helpers.structs import PublicKeyCredentialDescriptor
 
 from pretix.base.i18n import language
 from pretix.helpers.urls import build_absolute_uri
 
+from ...helpers.u2f import pub_key_from_der, websafe_decode
 from .base import LoggingMixin
 
 
@@ -428,7 +425,12 @@ class U2FDevice(Device):
     json_data = models.TextField()
 
     @property
-    def webauthnuser(self):
+    def webauthndevice(self):
+        d = json.loads(self.json_data)
+        return PublicKeyCredentialDescriptor(websafe_decode(d['keyHandle']))
+
+    @property
+    def webauthnpubkey(self):
         d = json.loads(self.json_data)
         # We manually need to convert the pubkey from DER format (used in our
         # former U2F implementation) to the format required by webauthn. This
@@ -440,16 +442,7 @@ def webauthnuser(self):
                 pub_key.public_numbers().x, pub_key.public_numbers().y
             )
         )
-        return webauthn.WebAuthnUser(
-            d['keyHandle'],
-            self.user.email,
-            str(self.user),
-            settings.SITE_URL,
-            d['keyHandle'],
-            websafe_encode(pub_key),
-            1,
-            urlparse(settings.SITE_URL).netloc
-        )
+        return pub_key
 
 
 class WebAuthnDevice(Device):
@@ -461,14 +454,9 @@ class WebAuthnDevice(Device):
     sign_count = models.IntegerField(default=0)
 
     @property
-    def webauthnuser(self):
-        return webauthn.WebAuthnUser(
-            self.ukey,
-            self.user.email,
-            str(self.user),
-            settings.SITE_URL,
-            self.credential_id,
-            self.pub_key,
-            self.sign_count,
-            urlparse(settings.SITE_URL).netloc
-        )
+    def webauthndevice(self):
+        return PublicKeyCredentialDescriptor(websafe_decode(self.credential_id))
+
+    @property
+    def webauthnpubkey(self):
+        return websafe_decode(self.pub_key)

src/pretix/base/templates/pretixbase/cachedfiles/pending.html

@@ -9,7 +9,7 @@
         <link rel="stylesheet" type="text/x-scss" href="{% static "pretixbase/scss/cachedfiles.scss" %}" />
     {% endcompress %}
     {% compress js %}
-        <script type="text/javascript" src="{% static "jquery/js/jquery-2.1.1.min.js" %}"></script>
+        <script type="text/javascript" src="{% static "jquery/js/jquery-3.7.1.min.js" %}"></script>
         <script type="text/javascript" src="{% static "pretixbase/js/reloadpending.js" %}"></script>
     {% endcompress %}
     <meta name="viewport" content="width=device-width, initial-scale=1">

src/pretix/control/middleware.py

@@ -9,7 +9,6 @@
 from django.utils.encoding import force_str
 from django.utils.translation import gettext as _
 from django_scopes import scope
-from hijack.templatetags.hijack_tags import is_hijacked
 
 from pretix.base.models import Event, Organizer
 from pretix.base.models.auth import SuperuserPermissionSet, User
@@ -148,7 +147,7 @@ def __init__(self, get_response):
 
     def __call__(self, request):
         if request.path.startswith(get_script_prefix() + 'control') and request.user.is_authenticated:
-            if is_hijacked(request):
+            if getattr(request.user, "is_hijacked", False):
                 hijack_history = request.session.get('hijack_history', False)
                 hijacker = get_object_or_404(User, pk=hijack_history[0])
                 ss = hijacker.get_active_staff_session(request.session.get('hijacker_session'))

src/pretix/control/templates/pretixcontrol/auth/base.html

@@ -1,6 +1,5 @@
 {% load compress %}
 {% load i18n %}
-{% load hijack_tags %}
 {% load static %}
 <!DOCTYPE html>
 <html{% if rtl %} dir="rtl" class="rtl"{% endif %}>
@@ -39,7 +38,7 @@
             </div>
         {% endfor %}
     {% endif %}
-    {% if request|is_hijacked %}
+    {% if request.user.is_hijacked %}
         <div class="impersonate-warning">
             <span class="fa fa-user-secret"></span>
             {% blocktrans with user=request.user%}You are currently working on behalf of {{ user }}.{% endblocktrans %}

src/pretix/control/templates/pretixcontrol/auth/login_2fa.html

@@ -35,7 +35,7 @@ <h3>{% trans "Welcome back!" %}</h3>
         </script>
     {% endif %}
     {% compress js %}
-        <script type="text/javascript" src="{% static "jquery/js/jquery-2.1.1.min.js" %}"></script>
+        <script type="text/javascript" src="{% static "jquery/js/jquery-3.7.1.min.js" %}"></script>
         <script type="text/javascript" src="{% static "pretixcontrol/js/base64js.js" %}"></script>
         <script type="text/javascript" src="{% static "pretixcontrol/js/ui/webauthn.js" %}"></script>
     {% endcompress %}

src/pretix/control/templates/pretixcontrol/base.html

@@ -1,7 +1,6 @@
 {% load compress %}
 {% load static %}
 {% load i18n %}
-{% load hijack_tags %}
 {% load statici18n %}
 {% load eventsignal %}
 {% load eventurl %}
@@ -21,7 +20,7 @@
             <script src="{% statici18n request.LANGUAGE_CODE %}" async></script>
         {% endif %}
 		{% compress js %}
-            <script type="text/javascript" src="{% static "jquery/js/jquery-2.1.1.min.js" %}"></script>
+            <script type="text/javascript" src="{% static "jquery/js/jquery-3.7.1.min.js" %}"></script>
             <script type="text/javascript" src="{% static "js/jquery.formset.js" %}"></script>
             <script type="text/javascript" src="{% static "typeahead/typeahead.bundle.js" %}"></script>
             <script type="text/javascript" src="{% static "bootstrap/js/bootstrap.js" %}"></script>
@@ -333,7 +332,7 @@
                     </ul>
                 </div>
             {% endif %}
-            {% if request|is_hijacked %}
+            {% if request.user.is_hijacked %}
                 <div class="impersonate-warning">
                     <span class="fa fa-user-secret"></span>
                     {% blocktrans with user=request.user%}You are currently working on behalf of {{ user }}.{% endblocktrans %}

src/pretix/control/templates/pretixcontrol/user/reauth.html

@@ -47,7 +47,7 @@ <h3>{% trans "Welcome back!" %}</h3>
             </script>
         {% endif %}
         {% compress js %}
-            <script type="text/javascript" src="{% static "jquery/js/jquery-2.1.1.min.js" %}"></script>
+            <script type="text/javascript" src="{% static "jquery/js/jquery-3.7.1.min.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixcontrol/js/base64js.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixcontrol/js/ui/webauthn.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixcontrol/js/ui/focus.js" %}"></script>