From e86fd1818346121c3eadfe7469c52fb000d61488 Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:36:00 +0100
Subject: [PATCH 1/8] updates instructions for doc

---
 .github/instructions/python.instructions.md | 57 +++++++++++++++++----
 1 file changed, 46 insertions(+), 11 deletions(-)

diff --git a/.github/instructions/python.instructions.md b/.github/instructions/python.instructions.md
index 0527fbec2234..a7f008830277 100644
--- a/.github/instructions/python.instructions.md
+++ b/.github/instructions/python.instructions.md
@@ -1,28 +1,65 @@
 ---
 applyTo: '**/*.py'
 ---
-Provide project context and coding guidelines that AI should follow when generating code, answering questions, or reviewing changes.
 
 ## 🛠️Coding Instructions for Python in This Repository
 
 Follow these rules **strictly** when generating Python code:
 
-### 1. Python Version
+### Python Version
 
 * Use Python 3.13: Ensure all code uses features and syntax compatible with Python 3.13.
 
-### 2. **Type Annotations**
+### Type Annotations
 
 * Always use full type annotations for all functions and class attributes.
 * ❗ **Exception**: Do **not** add return type annotations in `test_*` functions.
 
-### 3. **Code Style & Formatting**
+### Documentation with Annotated Types
+
+* Use `annotated_types.doc()` for parameter and return type documentation instead of traditional docstring Args/Returns sections
+* **Apply documentation only for non-obvious parameters/returns**:
+  - Document complex behaviors that can't be deduced from parameter name and type
+  - Document validation rules, side effects, or special handling
+  - Skip documentation for self-explanatory parameters (e.g., `engine: AsyncEngine`, `product_name: ProductName`)
+* **Import**: Always add `from annotated_types import doc` when using documentation annotations
+
+**Examples:**
+```python
+from typing import Annotated
+from annotated_types import doc
+
+async def process_users(
+    engine: AsyncEngine,  # No doc needed - self-explanatory
+    filter_statuses: Annotated[
+        list[Status] | None,
+        doc("Only returns users with these statuses")
+    ] = None,
+    limit: int = 50,  # No doc needed - obvious
+) -> Annotated[
+    tuple[list[dict], int],
+    doc("(user records, total count)")
+]:
+    """Process users with filtering.
+
+    Raises:
+        ValueError: If no filters provided
+    """
+```
+
+* **Docstring conventions**:
+  - Keep docstrings **concise**, focusing on overall function purpose
+  - Include `Raises:` section for exceptions
+  - Avoid repeating information already captured in type annotations
+  - Most information should be deducible from function name, parameter names, types, and annotations
+
+### Code Style & Formatting
 
 * Follow [Python Coding Conventions](../../docs/coding-conventions.md) **strictly**.
 * Format code with `black` and `ruff`.
 * Lint code with `ruff` and `pylint`.
 
-### 4. **Library Compatibility**
+### Library Compatibility
 
 Ensure compatibility with the following library versions:
 
@@ -30,8 +67,7 @@ Ensure compatibility with the following library versions:
 * `pydantic` ≥ 2.x
 * `fastapi` ≥ 0.100
 
-
-### 5. **Code Practices**
+### Code Practices
 
 * Use `f-string` formatting for all string interpolation except for logging message strings.
 * Use **relative imports** within the same package/module.
@@ -40,13 +76,12 @@ Ensure compatibility with the following library versions:
 * Place **all imports at the top** of the file.
 * Document functions when the code is not self-explanatory or if asked explicitly.
 
-
-### 6. **JSON Serialization**
+### JSON Serialization
 
 * Prefer `json_dumps` / `json_loads` from `common_library.json_serialization` instead of the built-in `json.dumps` / `json.loads`.
 * When using Pydantic models, prefer methods like `model.model_dump_json()` for serialization.
 
-### 7. **aiohttp Framework**
+### aiohttp Framework
 
 * **Application Keys**: Always use `web.AppKey` for type-safe application storage instead of string keys
   - Define keys with specific types: `APP_MY_KEY: Final = web.AppKey("APP_MY_KEY", MySpecificType)`
@@ -58,6 +93,6 @@ Ensure compatibility with the following library versions:
 * **Error Handling**: Use the established exception handling decorators and patterns
 * **Route Definitions**: Use `web.RouteTableDef()` and organize routes logically within modules
 
-### 8. **Running tests**
+### Running tests
 * Use `--keep-docker-up` flag when testing to keep docker containers up between sessions.
 * Always activate the python virtual environment before running pytest.

From 6799564a10f91ec05efafc46e8b60a77ad90f208 Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:39:01 +0100
Subject: [PATCH 2/8] cleanup

---
 api/specs/web-server/_common.py               |  2 +-
 .../src/models_library/invitations.py         | 76 ++++++++++-------
 .../users/_accounts_service.py                | 81 ++++++++++---------
 3 files changed, 90 insertions(+), 69 deletions(-)

diff --git a/api/specs/web-server/_common.py b/api/specs/web-server/_common.py
index 4ca4ef69e16b..bc74e765f6a5 100644
--- a/api/specs/web-server/_common.py
+++ b/api/specs/web-server/_common.py
@@ -60,7 +60,7 @@ def as_query(model_class: type[BaseModel]) -> type[BaseModel]:
     for field_name, field_info in model_class.model_fields.items():
 
         field_default = field_info.default
-        assert not field_info.default_factory  # nosec
+        assert not field_info.default_factory, f"got {field_info=}"  # nosec
         query_kwargs = {
             "alias": field_info.alias,
             "title": field_info.title,
diff --git a/packages/models-library/src/models_library/invitations.py b/packages/models-library/src/models_library/invitations.py
index adb1545f0b6d..cadc4667b5ec 100644
--- a/packages/models-library/src/models_library/invitations.py
+++ b/packages/models-library/src/models_library/invitations.py
@@ -1,7 +1,14 @@
-from datetime import datetime, timezone
-from typing import Final
+from datetime import UTC, datetime
+from typing import Annotated, Final
 
-from pydantic import BaseModel, EmailStr, Field, PositiveInt, field_validator
+from pydantic import (
+    AfterValidator,
+    BaseModel,
+    EmailStr,
+    Field,
+    PositiveInt,
+    field_validator,
+)
 
 from .products import ProductName
 
@@ -11,29 +18,40 @@
 class InvitationInputs(BaseModel):
     """Input data necessary to create an invitation"""
 
-    issuer: str = Field(
-        ...,
-        description="Identifies who issued the invitation. E.g. an email, a service name etc. NOTE: it will be trimmed if exceeds maximum",
-        min_length=1,
-        max_length=_MAX_LEN,
-    )
-    guest: EmailStr = Field(
-        ...,
-        description="Invitee's email. Note that the registration can ONLY be used with this email",
-    )
-    trial_account_days: PositiveInt | None = Field(
-        default=None,
-        description="If set, this invitation will activate a trial account."
-        "Sets the number of days from creation until the account expires",
-    )
-    extra_credits_in_usd: PositiveInt | None = Field(
-        default=None,
-        description="If set, the account's primary wallet will add extra credits corresponding to this ammount in USD",
-    )
-    product: ProductName | None = Field(
-        default=None,
-        description="If None, it will use INVITATIONS_DEFAULT_PRODUCT",
-    )
+    issuer: Annotated[
+        str,
+        Field(
+            description="Identifies who issued the invitation. E.g. an email, a service name etc. NOTE: it will be trimmed if exceeds maximum",
+            min_length=1,
+            max_length=_MAX_LEN,
+        ),
+    ]
+    guest: Annotated[
+        EmailStr,
+        AfterValidator(lambda v: v.lower()),
+        Field(
+            description="Invitee's email. Note that the registration can ONLY be used with this email",
+        ),
+    ]
+    trial_account_days: Annotated[
+        PositiveInt | None,
+        Field(
+            description="If set, this invitation will activate a trial account."
+            "Sets the number of days from creation until the account expires",
+        ),
+    ] = None
+    extra_credits_in_usd: Annotated[
+        PositiveInt | None,
+        Field(
+            description="If set, the account's primary wallet will add extra credits corresponding to this ammount in USD",
+        ),
+    ] = None
+    product: Annotated[
+        ProductName | None,
+        Field(
+            description="If None, it will use INVITATIONS_DEFAULT_PRODUCT",
+        ),
+    ] = None
 
     @field_validator("issuer", mode="before")
     @classmethod
@@ -44,10 +62,10 @@ def trim_long_issuers_to_max_length(cls, v):
 
 
 class InvitationContent(InvitationInputs):
-    """Data in an invitation"""
+    """Data within an invitation"""
 
     # avoid using default to mark exactly the time
-    created: datetime = Field(..., description="Timestamp for creation")
+    created: Annotated[datetime, Field(description="Timestamp for creation")]
 
     def as_invitation_inputs(self) -> InvitationInputs:
         return self.model_validate(
@@ -62,6 +80,6 @@ def create_from_inputs(
         kwargs = invitation_inputs.model_dump(exclude_none=True)
         kwargs.setdefault("product", default_product)
         return cls(
-            created=datetime.now(tz=timezone.utc),
+            created=datetime.now(tz=UTC),
             **kwargs,
         )
diff --git a/services/web/server/src/simcore_service_webserver/users/_accounts_service.py b/services/web/server/src/simcore_service_webserver/users/_accounts_service.py
index 0baf07c9a1f2..a7ff44a5e511 100644
--- a/services/web/server/src/simcore_service_webserver/users/_accounts_service.py
+++ b/services/web/server/src/simcore_service_webserver/users/_accounts_service.py
@@ -1,19 +1,22 @@
 import logging
-from typing import Any
+from typing import Annotated, Any
 
 from aiohttp import web
+from annotated_types import doc
 from common_library.users_enums import AccountRequestStatus
 from models_library.api_schemas_webserver.users import UserAccountGet
 from models_library.emails import LowerCaseEmailStr
+from models_library.list_operations import OrderDirection
 from models_library.products import ProductName
 from models_library.users import UserID
 from notifications_library._email import create_email_session
 from pydantic import HttpUrl
 from settings_library.email import SMTPSettings
-from simcore_service_webserver.products._service import get_product
 
 from ..db.plugin import get_asyncpg_engine
+from ..products._service import get_product
 from . import _accounts_repository, _users_repository
+from ._accounts_repository import OrderKeys
 from .exceptions import (
     AlreadyPreRegisteredError,
     PendingPreRegistrationNotFoundError,
@@ -31,7 +34,10 @@ async def pre_register_user(
     app: web.Application,
     *,
     profile: UserAccountRestPreRegister,
-    creator_user_id: UserID | None,
+    creator_user_id: Annotated[
+        UserID | None,
+        doc("ID of the user creating the pre-registration (None for anonymous)"),
+    ],
     product_name: ProductName,
 ) -> UserAccountGet:
 
@@ -92,19 +98,19 @@ async def list_user_accounts(
     app: web.Application,
     *,
     product_name: ProductName,
-    filter_any_account_request_status: list[AccountRequestStatus] | None = None,
+    filter_any_account_request_status: Annotated[
+        list[AccountRequestStatus] | None,
+        doc("List of any account request statuses to filter by"),
+    ] = None,
     pagination_limit: int = 50,
     pagination_offset: int = 0,
-) -> tuple[list[dict[str, Any]], int]:
+) -> Annotated[
+    tuple[list[dict[str, Any]], int],
+    doc("Tuple containing (list of user dictionaries, total count of users)"),
+]:
     """
     Get a paginated list of users for admin view with filtering options.
 
-    Args:
-        app: The web application instance
-        filter_any_account_request_status: List of *any* account request statuses to filter by
-        pagination_limit: Maximum number of users to return
-        pagination_offset: Number of users to skip for pagination
-
     Returns:
         A tuple containing (list of user dictionaries, total count of users)
     """
@@ -155,13 +161,14 @@ async def search_users_accounts(
     product_name: ProductName | None = None,
     include_products: bool = False,
 ) -> list[UserAccountGet]:
-    """
-    WARNING: this information is reserved for admin users. Note that the returned model include UserForAdminGet
+    """WARNING: this information is reserved for admin users. Note that the returned model include UserForAdminGet
 
     NOTE: Functions in the service layer typically validate the caller's access rights
     using parameters like product_name and user_id. However, this function skips
     such checks as it is designed for scenarios (e.g., background tasks) where
     no caller or context is available.
+
+    NOTE: list is limited to a maximum of 50 entries
     """
 
     if (
@@ -238,18 +245,14 @@ async def approve_user_account(
     pre_registration_email: LowerCaseEmailStr,
     product_name: ProductName,
     reviewer_id: UserID,
-    invitation_extras: dict[str, Any] | None = None,
-) -> int:
+    invitation_extras: Annotated[
+        dict[str, Any] | None, doc("Optional invitation data to store in extras field")
+    ] = None,
+) -> Annotated[int, doc("The ID of the approved pre-registration record")]:
     """Approve a user account based on their pre-registration email.
 
-    Args:
-        app: The web application instance
-        pre_registration_email: Email of the pre-registered user to approve
-        product_name: Product name for which the user is being approved
-        reviewer_id: ID of the user approving the account
-
     Returns:
-        int: The ID of the approved pre-registration record
+        The ID of the approved pre-registration record
 
     Raises:
         PendingPreRegistrationNotFoundError: If no pre-registration is found for the email/product
@@ -291,17 +294,9 @@ async def reject_user_account(
     pre_registration_email: LowerCaseEmailStr,
     product_name: ProductName,
     reviewer_id: UserID,
-) -> int:
+) -> Annotated[int, doc("The ID of the rejected pre-registration record")]:
     """Reject a user account based on their pre-registration email.
 
-    Args:
-        app: The web application instance
-        pre_registration_email: Email of the pre-registered user to reject
-        product_name: Product name for which the user is being rejected
-        reviewer_id: ID of the user rejecting the account
-
-    Returns:
-        int: The ID of the rejected pre-registration record
 
     Raises:
         PendingPreRegistrationNotFoundError: If no pre-registration is found for the email/product
@@ -343,9 +338,17 @@ def _create_product_and_user_data(
     user_email: LowerCaseEmailStr,
     first_name: str,
     last_name: str,
-):
+) -> Annotated[
+    tuple[Any, Any],
+    doc("Tuple containing (ProductData, UserData) objects for email rendering"),
+]:
     """Create ProductData and UserData objects for email rendering."""
-    from notifications_library._models import ProductData, ProductUIData, UserData
+
+    from notifications_library._models import (  # noqa: PLC0415
+        ProductData,
+        ProductUIData,
+        UserData,
+    )
 
     # Get product data from the app
     product = get_product(app, product_name=product_name)
@@ -399,13 +402,13 @@ async def send_approval_email_to_user(
     first_name: str,
     last_name: str,
 ) -> None:
-    from notifications_library._email import compose_email
-    from notifications_library._email_render import (
+    from notifications_library._email import compose_email  # noqa: PLC0415
+    from notifications_library._email_render import (  # noqa: PLC0415
         get_support_address,
         get_user_address,
         render_email_parts,
     )
-    from notifications_library._render import (
+    from notifications_library._render import (  # noqa: PLC0415
         create_render_environment_from_notifications_library,
     )
 
@@ -456,13 +459,13 @@ async def send_rejection_email_to_user(
     last_name: str,
     host: str,
 ) -> None:
-    from notifications_library._email import compose_email
-    from notifications_library._email_render import (
+    from notifications_library._email import compose_email  # noqa: PLC0415
+    from notifications_library._email_render import (  # noqa: PLC0415
         get_support_address,
         get_user_address,
         render_email_parts,
     )
-    from notifications_library._render import (
+    from notifications_library._render import (  # noqa: PLC0415
         create_render_environment_from_notifications_library,
     )
 

From 9443b7dbb39117d31189cc7209bd5f5afdc774bb Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:40:10 +0100
Subject: [PATCH 3/8] test

---
 .../templates/on_account_requested.email.content.html      | 5 +++--
 .../templates/on_account_requested.email.content.txt       | 4 ++--
 .../templates/common/request_account.jinja2                | 7 ++++---
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html
index 5a317574c958..d922a71ad6c2 100644
--- a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html
+++ b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html
@@ -1,13 +1,14 @@
 {% extends 'base.html' %}
 {% block title %} {% include 'on_account_requested.email.subject.txt' %} {% endblock %}
 {% block content %}
-<p>Dear Support team
+<p>Dear Support team</p>
 
 <p>
   We have received the following request form for an account in :
 <ol>
   <li>Product: <b>{{ product.display_name }}</b></li>
-  <li>Host: <b>{{ host }}</b></li>
+  <li>Host: <b>{{ host|rstrip('/') }}</b></li>
+  <li>PO center: <b>https://{{ host|rstrip('/') }}/#/review-users</b></li>
 </ol>
 </p>
 
diff --git a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt
index 67b1801b9123..f8acd5c97c40 100644
--- a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt
+++ b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt
@@ -2,8 +2,8 @@ Dear Support team,
 
 We have received the following request form for an account in :
 - Product: **{{ product.display_name }}**
-- Host: **{{ host }}**
-
+- Host: **{{ host|rstrip('/') }}**
+- PO center: https://{{ host|rstrip('/') }}/#/review-users
 {{ dumps(request_form) }}
 
 Some details about the requested product follow:
diff --git a/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2 b/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2
index bc85afb0559a..1228638df215 100644
--- a/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2
+++ b/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2
@@ -1,7 +1,7 @@
-Request for an Account in {{ host }}
+Request for an Account in {{ host|rstrip('/') }}
 <!--
 NOTE: this header is only for testing purposes and removed automatically before sending
-TEST host:{{ host }}
+TEST host:{{ host|rstrip('/') }}
 TEST name:{{ name }}
 TEST product:{{ product }}
 TEST request_form:{{ request_form }}
@@ -14,7 +14,8 @@ Dear {{ name }},
   We have received the following request form for an account in :
 <ol>
   <li>Product: <b>{{ product.display_name }}</b></li>
-  <li>Host: <b>{{ host }}</b></li>
+  <li>Host: <b>{{ host|rstrip('/') }}</b></li>
+  <li>PO center: <b>https://{{ host|rstrip('/') }}/#/review-users</b></li>
 </ol>
 </p>
 

From 06decb86be386d531480fa555eb5d8d6828de822 Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:41:54 +0100
Subject: [PATCH 4/8] insensitive email and invitation code tests

---
 .../src/models_library/string_types.py        |  2 +
 services/invitations/tests/unit/conftest.py   |  6 ++-
 .../tests/unit/test_invitations.py            | 41 +++++++++++++++++++
 .../with_dbs/03/test_users_rest_search.py     |  2 +-
 4 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/packages/models-library/src/models_library/string_types.py b/packages/models-library/src/models_library/string_types.py
index cc7a2b4dcc5d..05d4c4f75c6d 100644
--- a/packages/models-library/src/models_library/string_types.py
+++ b/packages/models-library/src/models_library/string_types.py
@@ -203,6 +203,7 @@ def validate_input_xss_safety(value: str) -> str:
         max_length=200,
         strip_whitespace=True,
         pattern=r"^[A-Za-z0-9 ._\*@-]*$",  # Allow alphanumeric, spaces, dots, underscores, hyphens, asterisks and at signs
+        to_lower=True # make case-insensitive
     ),
     AfterValidator(validate_input_xss_safety),
 ]
@@ -215,6 +216,7 @@ def validate_input_xss_safety(value: str) -> str:
         min_length=1,
         max_length=200,
         pattern=r"^[A-Za-z0-9 ._@-]*$",  # Allow alphanumeric, spaces, dots, underscores, hyphens, and at signs
+        to_lower=True # make case-insensitive
     ),
     AfterValidator(validate_input_xss_safety),
     annotated_types.doc(
diff --git a/services/invitations/tests/unit/conftest.py b/services/invitations/tests/unit/conftest.py
index 414062b9f944..bf240b17ed9f 100644
--- a/services/invitations/tests/unit/conftest.py
+++ b/services/invitations/tests/unit/conftest.py
@@ -114,7 +114,7 @@ def invitation_data(
     # first version
     kwargs = {
         "issuer": "LicenseRequestID=123456789",
-        "guest": faker.email(),
+        "guest": faker.email().upper(),  # to test case insensitivity
         "trial_account_days": faker.pyint(min_value=1) if is_trial_account else None,
     }
     # next version, can include product
@@ -124,4 +124,6 @@ def invitation_data(
     if extra_credits_in_usd is not None:
         kwargs["extra_credits_in_usd"] = extra_credits_in_usd
 
-    return InvitationInputs.model_validate(kwargs)
+    data = InvitationInputs.model_validate(kwargs)
+    assert data.guest == kwargs["guest"].lower()  # emails are case insensitive
+    return data
diff --git a/services/invitations/tests/unit/test_invitations.py b/services/invitations/tests/unit/test_invitations.py
index 770dba67bb99..f18e6e455e1e 100644
--- a/services/invitations/tests/unit/test_invitations.py
+++ b/services/invitations/tests/unit/test_invitations.py
@@ -203,3 +203,44 @@ def test_aliases_uniqueness():
         ).items()
         if count > 1
     ]  # nosec
+
+
+def test_consecutive_invitation_codes_are_different_due_to_timestamps(
+    invitation_data: InvitationInputs,
+    secret_key: str,
+    default_product: ProductName,
+):
+    """Test that two consecutive invitation codes with same data are different because of different timestamps."""
+    secret = secret_key.encode()
+
+    # Create first invitation code
+    content1 = InvitationContent.create_from_inputs(invitation_data, default_product)
+    code1 = _create_invitation_code(content1, secret)
+
+    # Create second invitation code with same data
+    content2 = InvitationContent.create_from_inputs(invitation_data, default_product)
+    code2 = _create_invitation_code(content2, secret)
+
+    # Codes should be different
+    assert code1 != code2
+
+    # Decrypt both codes
+    invitation1 = decrypt_invitation(
+        invitation_code=code1.decode(),
+        secret_key=secret,
+        default_product=default_product,
+    )
+    invitation2 = decrypt_invitation(
+        invitation_code=code2.decode(),
+        secret_key=secret,
+        default_product=default_product,
+    )
+
+    # Content should be the same except for timestamps
+    assert invitation1.model_dump(exclude={"created"}) == invitation2.model_dump(
+        exclude={"created"}
+    )
+
+    # Timestamps should be different
+    assert invitation1.created != invitation2.created
+    assert invitation2.created >= invitation1.created
diff --git a/services/web/server/tests/unit/with_dbs/03/test_users_rest_search.py b/services/web/server/tests/unit/with_dbs/03/test_users_rest_search.py
index 7473033cbd1a..79c5ba21eadf 100644
--- a/services/web/server/tests/unit/with_dbs/03/test_users_rest_search.py
+++ b/services/web/server/tests/unit/with_dbs/03/test_users_rest_search.py
@@ -238,7 +238,7 @@ async def test_search_users_by_partial_email(
     url = (
         client.app.router["search_user_accounts"]
         .url_for()
-        .with_query(email=partial_email)
+        .with_query(email=partial_email.upper())  # NOTE: case insensitive!
     )
     resp = await client.get(f"{url}")
     await assert_status(resp, status.HTTP_403_FORBIDDEN)

From 1434857a79d6efa59586c89510746b6b5a010e1a Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:48:32 +0100
Subject: [PATCH 5/8] list operations

---
 .../src/models_library/list_operations.py     | 67 ++++++++++++++++++
 .../tests/test_list_operations.py             | 70 +++++++++++++++++++
 2 files changed, 137 insertions(+)
 create mode 100644 packages/models-library/src/models_library/list_operations.py
 create mode 100644 packages/models-library/tests/test_list_operations.py

diff --git a/packages/models-library/src/models_library/list_operations.py b/packages/models-library/src/models_library/list_operations.py
new file mode 100644
index 000000000000..c904fe3fc4f4
--- /dev/null
+++ b/packages/models-library/src/models_library/list_operations.py
@@ -0,0 +1,67 @@
+"""API List operation
+
+- Ordering: https://google.aip.dev/132#ordering
+
+
+SEE ALSO:
+    - batch_operations.py
+"""
+
+from enum import Enum
+from typing import TYPE_CHECKING, Annotated, Generic, TypeVar
+
+from annotated_types import doc
+from pydantic import BaseModel
+
+
+class OrderDirection(str, Enum):
+    ASC = "asc"
+    DESC = "desc"
+
+
+if TYPE_CHECKING:
+    from typing import Protocol
+
+    class LiteralField(Protocol):
+        """Protocol for Literal string types"""
+
+        def __str__(self) -> str: ...
+
+    TField = TypeVar("TField", bound=LiteralField)
+else:
+    TField = TypeVar("TField", bound=str)
+
+
+class OrderClause(BaseModel, Generic[TField]):
+    field: TField
+    direction: OrderDirection = OrderDirection.ASC
+
+
+def check_ordering_list(
+    order_by: list[tuple[TField, OrderDirection]]
+) -> Annotated[
+    list[tuple[TField, OrderDirection]],
+    doc("Validated list with duplicates removed and preserving first occurrence order"),
+]:
+    """Validates ordering list and removes duplicate entries.
+
+    Raises:
+        ValueError: If a field appears with conflicting directions
+    """
+    seen_fields: dict[TField, OrderDirection] = {}
+    unique_order_by = []
+
+    for field, direction in order_by:
+        if field in seen_fields:
+            # Field already seen - check if direction matches
+            if seen_fields[field] != direction:
+                msg = f"Field '{field}' appears with conflicting directions: {seen_fields[field].value} and {direction.value}"
+                raise ValueError(msg)
+            # Same field and direction - skip duplicate
+            continue
+
+        # First time seeing this field
+        seen_fields[field] = direction
+        unique_order_by.append((field, direction))
+
+    return unique_order_by
diff --git a/packages/models-library/tests/test_list_operations.py b/packages/models-library/tests/test_list_operations.py
new file mode 100644
index 000000000000..61ff91aa5d4d
--- /dev/null
+++ b/packages/models-library/tests/test_list_operations.py
@@ -0,0 +1,70 @@
+import pytest
+from models_library.list_operations import (
+    OrderDirection,
+    check_ordering_list,
+)
+
+
+def test_check_ordering_list_drops_duplicates_silently():
+    """Test that check_ordering_list silently drops duplicate entries with same field and direction"""
+
+    # Input with duplicates (same field and direction)
+    order_by = [
+        ("email", OrderDirection.ASC),
+        ("created", OrderDirection.DESC),
+        ("email", OrderDirection.ASC),  # Duplicate - should be dropped
+        ("name", OrderDirection.ASC),
+        ("created", OrderDirection.DESC),  # Duplicate - should be dropped
+    ]
+
+    result = check_ordering_list(order_by)
+
+    # Should return unique entries preserving order of first occurrence
+    expected = [
+        ("email", OrderDirection.ASC),
+        ("created", OrderDirection.DESC),
+        ("name", OrderDirection.ASC),
+    ]
+
+    assert result == expected
+
+
+def test_check_ordering_list_raises_for_conflicting_directions():
+    """Test that check_ordering_list raises ValueError when same field has different directions"""
+
+    # Input with same field but different directions
+    order_by = [
+        ("email", OrderDirection.ASC),
+        ("created", OrderDirection.DESC),
+        ("email", OrderDirection.DESC),  # Conflict! Same field, different direction
+    ]
+
+    with pytest.raises(ValueError, match="conflicting directions") as exc_info:
+        check_ordering_list(order_by)
+
+    error_msg = str(exc_info.value)
+    assert "Field 'email' appears with conflicting directions" in error_msg
+    assert "asc" in error_msg
+    assert "desc" in error_msg
+
+
+def test_check_ordering_list_empty_input():
+    """Test that check_ordering_list handles empty input correctly"""
+
+    result = check_ordering_list([])
+    assert result == []
+
+
+def test_check_ordering_list_no_duplicates():
+    """Test that check_ordering_list works correctly when there are no duplicates"""
+
+    order_by = [
+        ("email", OrderDirection.ASC),
+        ("created", OrderDirection.DESC),
+        ("name", OrderDirection.ASC),
+    ]
+
+    result = check_ordering_list(order_by)
+
+    # Should return the same list
+    assert result == order_by

From bf417b5f505ec3ed014f718fe7c0c32b7b9adc87 Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:50:09 +0100
Subject: [PATCH 6/8] new ordering class

---
 .../src/models_library/rest_ordering.py       | 126 ++++++++++++++----
 .../tests/test_rest_ordering.py               |  47 +++++++
 2 files changed, 146 insertions(+), 27 deletions(-)

diff --git a/packages/models-library/src/models_library/rest_ordering.py b/packages/models-library/src/models_library/rest_ordering.py
index 1fdd9d6cfed4..7e2d829d926c 100644
--- a/packages/models-library/src/models_library/rest_ordering.py
+++ b/packages/models-library/src/models_library/rest_ordering.py
@@ -1,32 +1,41 @@
-from enum import Enum
-from typing import Annotated
+from typing import Annotated, Generic
 
+from common_library.basic_types import DEFAULT_FACTORY
 from common_library.json_serialization import json_dumps
-from pydantic import BaseModel, BeforeValidator, ConfigDict, Field, field_validator
+from pydantic import (
+    BaseModel,
+    BeforeValidator,
+    ConfigDict,
+    Field,
+    field_validator,
+)
 
 from .basic_types import IDStr
+from .list_operations import OrderClause, OrderDirection, TField, check_ordering_list
 from .rest_base import RequestParameters
-from .utils.common_validators import parse_json_pre_validator
+from .utils.common_validators import (
+    parse_json_pre_validator,
+)
 
-
-class OrderDirection(str, Enum):
-    ASC = "asc"
-    DESC = "desc"
+__all__: tuple[str, ...] = ("OrderDirection",)
 
 
 class OrderBy(BaseModel):
-    # Based on https://google.aip.dev/132#ordering
-    field: IDStr = Field(..., description="field name identifier")
-    direction: OrderDirection = Field(
-        default=OrderDirection.ASC,
-        description=(
-            f"As [A,B,C,...] if `{OrderDirection.ASC.value}`"
-            f" or [Z,Y,X, ...] if `{OrderDirection.DESC.value}`"
+    # NOTE: use instead OrderClause[TField] where TField is Literal of valid fields
+    field: Annotated[IDStr, Field(description="field name identifier")]
+    direction: Annotated[
+        OrderDirection,
+        Field(
+            description=(
+                f"As [A,B,C,...] if `{OrderDirection.ASC.value}`"
+                f" or [Z,Y,X, ...] if `{OrderDirection.DESC.value}`"
+            )
         ),
-    )
+    ] = OrderDirection.ASC
 
 
 class _BaseOrderQueryParams(RequestParameters):
+    # Use OrderingQueryParams instead for more flexible ordering
     order_by: OrderBy
 
 
@@ -91,12 +100,10 @@ def _check_ordering_field_and_map(cls, v):
             return _ordering_fields_api_to_column_map.get(v) or v
 
     assert "json_schema_extra" in _OrderBy.model_config  # nosec
-    assert isinstance(_OrderBy.model_config["json_schema_extra"], dict)  # nosec
-    assert isinstance(  # nosec
-        _OrderBy.model_config["json_schema_extra"]["examples"], list
-    )
-    order_by_example = _OrderBy.model_config["json_schema_extra"]["examples"][0]
+
+    order_by_example = _OrderBy.model_json_schema()["examples"][0]
     order_by_example_json = json_dumps(order_by_example)
+
     assert _OrderBy.model_validate(order_by_example), "Example is invalid"  # nosec
 
     converted_default = _OrderBy.model_validate(
@@ -104,17 +111,82 @@ def _check_ordering_field_and_map(cls, v):
         default.model_dump()
     )
 
-    class _OrderQueryParams(_BaseOrderQueryParams):
-        order_by: Annotated[_OrderBy, BeforeValidator(parse_json_pre_validator)] = (
+    class _OrderJsonQueryParams(_BaseOrderQueryParams):
+        order_by: Annotated[
+            _OrderBy,
+            BeforeValidator(parse_json_pre_validator),
             Field(
-                default=converted_default,
                 description=(
                     f"Order by field (`{msg_field_options}`) and direction (`{msg_direction_options}`). "
                     f"The default sorting order is `{json_dumps(default)}`."
                 ),
                 examples=[order_by_example],
                 json_schema_extra={"example_json": order_by_example_json},
-            )
-        )
+            ),
+        ] = converted_default
+
+    return _OrderJsonQueryParams
+
+
+def _parse_order_by(v):
+    if not v:
+        return []
+
+    if isinstance(v, list):
+        v = ",".join(v)
+
+    if not isinstance(v, str):
+        msg = "order_by must be a string"
+        raise TypeError(msg)
 
-    return _OrderQueryParams
+    # 1. from comma-separated string to list of OrderClause
+    clauses = []
+    for t in v.split(","):
+        token = t.strip()
+        if not token:
+            continue
+        if token.startswith("-"):
+            clauses.append((token[1:], OrderDirection.DESC))
+        elif token.startswith("+"):
+            clauses.append((token[1:], OrderDirection.ASC))
+        else:
+            clauses.append((token, OrderDirection.ASC))
+
+    # 2. check for duplicates and conflicting directions
+    return [
+        {"field": field, "direction": direction}
+        for field, direction in check_ordering_list(clauses)
+    ]
+
+
+class OrderingQueryParams(BaseModel, Generic[TField]):
+    """
+    This class is designed to parse query parameters for ordering results in an API request.
+
+    It supports multiple ordering clauses and allows for flexible sorting options.
+
+    NOTE: It only parses strings and validates into list[OrderClause[TField]]
+    where TField is a type variable representing valid field names.
+
+
+    For example:
+
+        /my/path?order_by=field1,-field2,+field3
+
+    would sort by field1 ascending, field2 descending, and field3 ascending.
+    """
+
+    order_by: Annotated[
+        list[OrderClause[TField]],
+        BeforeValidator(_parse_order_by),
+        Field(default_factory=list),
+    ] = DEFAULT_FACTORY
+
+    model_config = ConfigDict(
+        json_schema_extra={
+            "examples": [
+                {"order_by": "-created_at,name,+gender"},
+                {"order_by": ""},
+            ],
+        }
+    )
diff --git a/packages/models-library/tests/test_rest_ordering.py b/packages/models-library/tests/test_rest_ordering.py
index 33e1ad654d10..6feda4731df6 100644
--- a/packages/models-library/tests/test_rest_ordering.py
+++ b/packages/models-library/tests/test_rest_ordering.py
@@ -1,11 +1,14 @@
 import pickle
+from typing import Literal
 
 import pytest
 from common_library.json_serialization import json_dumps
 from models_library.basic_types import IDStr
 from models_library.rest_ordering import (
     OrderBy,
+    OrderClause,
     OrderDirection,
+    OrderingQueryParams,
     create_ordering_query_model_class,
 )
 from pydantic import (
@@ -236,3 +239,47 @@ def test_ordering_query_parse_json_pre_validator():
     assert error["loc"] == ("order_by",)
     assert error["type"] == "value_error"
     assert error["input"] == bad_json_value
+
+
+def test_ordering_query_params_parsing():
+    """Test OrderingQueryParams parsing from URL query format like ?order_by=-created_at,name,+gender"""
+
+    # Define allowed fields using Literal type
+    ValidField = Literal["created_at", "name", "gender"]
+
+    class TestOrderingParams(OrderingQueryParams[ValidField]):
+        pass
+
+    # Test parsing from comma-separated string
+    params = TestOrderingParams.model_validate({"order_by": "-created_at,name,+gender"})
+
+    assert params.order_by == [
+        OrderClause[ValidField](field="created_at", direction=OrderDirection.DESC),
+        OrderClause[ValidField](field="name", direction=OrderDirection.ASC),
+        OrderClause[ValidField](field="gender", direction=OrderDirection.ASC),
+    ]
+
+
+def test_ordering_query_params_validation_error_with_invalid_fields():
+    """Test that OrderingQueryParams raises ValidationError when invalid fields are used"""
+
+    # Define allowed fields using Literal type
+    ValidField = Literal["created_at", "name"]
+
+    class TestOrderingParams(OrderingQueryParams[ValidField]):
+        pass
+
+    # Test with invalid field should raise ValidationError
+    with pytest.raises(ValidationError) as err_info:
+        TestOrderingParams.model_validate(
+            {"order_by": "-created_at,invalid_field,name"}
+        )
+
+    # Verify the validation error details
+    exc = err_info.value
+    assert exc.error_count() == 1
+
+    error = exc.errors()[0]
+    assert error["loc"] == ("order_by", 1, "field")
+    assert error["type"] == "literal_error"
+    assert error["input"] == "invalid_field"

From f2dce189072b5e6638df2a57ec74c0b6ff96e5b2 Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:55:16 +0100
Subject: [PATCH 7/8] bad import

---
 .../src/simcore_service_webserver/users/_accounts_service.py    | 2 --
 1 file changed, 2 deletions(-)

diff --git a/services/web/server/src/simcore_service_webserver/users/_accounts_service.py b/services/web/server/src/simcore_service_webserver/users/_accounts_service.py
index a7ff44a5e511..2904e9dd2623 100644
--- a/services/web/server/src/simcore_service_webserver/users/_accounts_service.py
+++ b/services/web/server/src/simcore_service_webserver/users/_accounts_service.py
@@ -6,7 +6,6 @@
 from common_library.users_enums import AccountRequestStatus
 from models_library.api_schemas_webserver.users import UserAccountGet
 from models_library.emails import LowerCaseEmailStr
-from models_library.list_operations import OrderDirection
 from models_library.products import ProductName
 from models_library.users import UserID
 from notifications_library._email import create_email_session
@@ -16,7 +15,6 @@
 from ..db.plugin import get_asyncpg_engine
 from ..products._service import get_product
 from . import _accounts_repository, _users_repository
-from ._accounts_repository import OrderKeys
 from .exceptions import (
     AlreadyPreRegisteredError,
     PendingPreRegistrationNotFoundError,

From 200695fdc8e996d6e1200d0d1817dd9207b9df6f Mon Sep 17 00:00:00 2001
From: Pedro Crespo-Valero <32402063+pcrespov@users.noreply.github.com>
Date: Mon, 17 Nov 2025 11:07:31 +0100
Subject: [PATCH 8/8] fixes jinja

---
 .../templates/on_account_requested.email.content.html     | 4 ++--
 .../templates/on_account_requested.email.content.txt      | 4 ++--
 .../simcore_service_webserver/login_accounts/_service.py  | 2 +-
 .../templates/common/request_account.jinja2               | 8 ++++----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html
index d922a71ad6c2..b2d1d6a2fd18 100644
--- a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html
+++ b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.html
@@ -7,8 +7,8 @@
   We have received the following request form for an account in :
 <ol>
   <li>Product: <b>{{ product.display_name }}</b></li>
-  <li>Host: <b>{{ host|rstrip('/') }}</b></li>
-  <li>PO center: <b>https://{{ host|rstrip('/') }}/#/review-users</b></li>
+  <li>Host: <b>{{ host }}</b></li>
+  <li>PO center: <b>https://{{ host }}/#/review-users</b></li>
 </ol>
 </p>
 
diff --git a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt
index f8acd5c97c40..bd249826e654 100644
--- a/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt
+++ b/packages/notifications-library/src/notifications_library/templates/on_account_requested.email.content.txt
@@ -2,8 +2,8 @@ Dear Support team,
 
 We have received the following request form for an account in :
 - Product: **{{ product.display_name }}**
-- Host: **{{ host|rstrip('/') }}**
-- PO center: https://{{ host|rstrip('/') }}/#/review-users
+- Host: **{{ host }}**
+- PO center: https://{{ host }}/#/review-users
 {{ dumps(request_form) }}
 
 Some details about the requested product follow:
diff --git a/services/web/server/src/simcore_service_webserver/login_accounts/_service.py b/services/web/server/src/simcore_service_webserver/login_accounts/_service.py
index c882f9501e9d..704538fc26e8 100644
--- a/services/web/server/src/simcore_service_webserver/login_accounts/_service.py
+++ b/services/web/server/src/simcore_service_webserver/login_accounts/_service.py
@@ -89,7 +89,7 @@ async def send_account_request_email_to_support(
             reply_to=user_email,  # So that issue-tracker system ACK email is sent to the user that requests the account
             template=email_template_path,
             context={
-                "host": request.host,
+                "host": request.host.rstrip("/"),
                 "name": "product-owners",
                 "product": product.model_dump(
                     include={
diff --git a/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2 b/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2
index 1228638df215..d156cec75dd6 100644
--- a/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2
+++ b/services/web/server/src/simcore_service_webserver/templates/common/request_account.jinja2
@@ -1,7 +1,7 @@
-Request for an Account in {{ host|rstrip('/') }}
+Request for an Account in {{ host }}
 <!--
 NOTE: this header is only for testing purposes and removed automatically before sending
-TEST host:{{ host|rstrip('/') }}
+TEST host:{{ host }}
 TEST name:{{ name }}
 TEST product:{{ product }}
 TEST request_form:{{ request_form }}
@@ -14,8 +14,8 @@ Dear {{ name }},
   We have received the following request form for an account in :
 <ol>
   <li>Product: <b>{{ product.display_name }}</b></li>
-  <li>Host: <b>{{ host|rstrip('/') }}</b></li>
-  <li>PO center: <b>https://{{ host|rstrip('/') }}/#/review-users</b></li>
+  <li>Host: <b>{{ host }}</b></li>
+  <li>PO center: <b>https://{{ host }}/#/review-users</b></li>
 </ol>
 </p>