feat: remove register, add evo webhooks, admin view-as user

- Remove /register route and nav links (users created via Evotor webhook)
- Fix evotor_webhooks.py: use phone=None instead of phone="" to avoid unique constraint
- Add admin "view as user" feature: POST /admin/users/{id}/view-as sets viewed_user_id
  in session; POST /admin/view-as/stop clears it
- catalog, vk_catalog, sync, connections GET routes use get_viewed_user() so admins
  see another user's data while browsing
- Orange banner shown at top when admin is viewing as another user

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/routes/auth.py

@@ -1,11 +1,10 @@
 import secrets
 
 from fastapi import APIRouter, Depends, Request
-from fastapi.responses import HTMLResponse, RedirectResponse
-from sqlalchemy import or_
+from fastapi.responses import HTMLResponse, RedirectResponse, Response
 from sqlalchemy.orm import Session
 
-from web.auth.password import hash_password, verify_password
+from web.auth.password import verify_password
 from web.auth.session import get_session_user_id
 from web.config import settings
 from web.database import get_db
@@ -23,60 +22,13 @@ def _render(request: Request, template: str, ctx: dict) -> HTMLResponse:
 
 
 @router.get("/register")
-async def register_get(request: Request, db: Session = Depends(get_db)):
-    if get_session_user_id(request):
-        return RedirectResponse("/profile", 303)
-    return _render(request, "register.html", {"user": None})
+async def register_get(request: Request):
+    return Response(status_code=404)
 
 
 @router.post("/register")
-async def register_post(request: Request, db: Session = Depends(get_db)):
-    form = await request.form()
-    data = {k: str(v).strip() for k, v in form.items()}
-    errors = []
-
-    if not data.get("email"):
-        errors.append("Email обязателен")
-    if not data.get("phone"):
-        errors.append("Телефон обязателен")
-    if not data.get("password"):
-        errors.append("Пароль обязателен")
-    if len(data.get("password", "")) < 8:
-        errors.append("Пароль должен содержать минимум 8 символов")
-    if data.get("password") != data.get("password_confirm"):
-        errors.append("Пароли не совпадают")
-
-    if not errors:
-        existing = db.query(User).filter(
-            or_(User.email == data["email"], User.phone == data["phone"])
-        ).first()
-        if existing:
-            if existing.email == data["email"]:
-                errors.append("Пользователь с таким email уже существует")
-            else:
-                errors.append("Пользователь с таким телефоном уже существует")
-
-    if errors:
-        return _render(request, "register.html", {"user": None, "errors": errors, "form": data})
-
-    token = secrets.token_urlsafe(32)
-    user = User(
-        first_name=data.get("first_name", ""),
-        last_name=data.get("last_name", ""),
-        email=data["email"],
-        phone=data["phone"],
-        password_hash=await _hash(data["password"]),
-        email_confirm_token=token,
-        status=UserStatusEnum.pending,
-    )
-    db.add(user)
-    db.commit()
-
-    confirm_url = f"{settings.BASE_URL}/confirm-email?token={token}"
-    html = f'<p>Подтвердите email: <a href="{confirm_url}">{confirm_url}</a></p>'
-    send_email_task.delay(user.email, "Подтвердите ваш email — ЭВОСИНК", html)
-
-    return _render(request, "confirm_email.html", {"user": None})
+async def register_post(request: Request):
+    return Response(status_code=404)
 
 
 @router.get("/confirm-email")
@@ -167,4 +119,5 @@ async def logout(request: Request):
 
 async def _hash(plain: str) -> str:
     import asyncio
+    from web.auth.password import hash_password
     return await asyncio.get_event_loop().run_in_executor(None, hash_password, plain)