-
-
Notifications
You must be signed in to change notification settings - Fork 423
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[IMP] migrate the auth_jwt with its demo from odoo16 to odoo17
- Loading branch information
Showing
42 changed files
with
30,182 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,157 @@ | ||
======== | ||
Auth JWT | ||
======== | ||
|
||
.. | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
!! This file is generated by oca-gen-addon-readme !! | ||
!! changes will be overwritten. !! | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
!! source digest: sha256:d22309ac82ef1eb8879974683b10d4be288eb330fd7e250927f1a8d602dc3988 | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png | ||
:target: https://odoo-community.org/page/development-status | ||
:alt: Beta | ||
.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png | ||
:target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html | ||
:alt: License: LGPL-3 | ||
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github | ||
:target: https://github.com/OCA/server-auth/tree/16.0/auth_jwt | ||
:alt: OCA/server-auth | ||
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png | ||
:target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt | ||
:alt: Translate me on Weblate | ||
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png | ||
:target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0 | ||
:alt: Try me on Runboat | ||
|
||
|badge1| |badge2| |badge3| |badge4| |badge5| | ||
|
||
JWT bearer token authentication. | ||
|
||
**Table of contents** | ||
|
||
.. contents:: | ||
:local: | ||
|
||
Installation | ||
============ | ||
|
||
This module requires the ``pyjwt`` library to be installed. | ||
|
||
Usage | ||
===== | ||
|
||
This module lets developpers add a new ``jwt`` authentication method on Odoo | ||
controller routes. | ||
|
||
To use it, you must: | ||
|
||
* Create an ``auth.jwt.validator`` record to configure how the JWT token will | ||
be validated. | ||
* Add an ``auth="jwt_{validator-name}"`` or ``auth="public_or_jwt_{validator-name}"`` | ||
attribute to the routes you want to protect where ``{validator-name}`` corresponds to | ||
the name attribute of the JWT validator record. | ||
|
||
The ``auth_jwt_demo`` module provides examples. | ||
|
||
The JWT validator can be configured with the following properties: | ||
|
||
* ``name``: the validator name, to match the ``auth="jwt_{validator-name}"`` | ||
route property. | ||
* ``audience``: a comma-separated list of allowed audiences, used to validate | ||
the ``aud`` claim. | ||
* ``issuer``: used to validate the ``iss`` claim. | ||
* Signature type (secret or public key), algorithm, secret and JWK URI | ||
are used to validate the token signature. | ||
|
||
In addition, the ``exp`` claim is validated to reject expired tokens. | ||
|
||
If the ``Authorization`` HTTP header is missing, malformed, or contains | ||
an invalid token, the request is rejected with a 401 (Unauthorized) code, | ||
unless the cookie mode is enabled (see below). | ||
|
||
If the token is valid, the request executes with the configured user id. By | ||
default the user id selection strategy is ``static`` (i.e. the same for all | ||
requests) and the selected user is configured on the JWT validator. Additional | ||
strategies can be provided by overriding the ``_get_uid()`` method and | ||
extending the ``user_id_strategy`` selection field. | ||
|
||
The selected user is *not* stored in the session. It is only available in | ||
``request.uid`` (and thus it is the one used in ``request.env``). To avoid any | ||
confusion and mismatches between the bearer token and the session, this module | ||
rejects requests made with an authenticated user session. | ||
|
||
Additionally, if a ``partner_id_strategy`` is configured, a partner is searched | ||
and if found, its id is stored in the ``request.jwt_partner_id`` attribute. If | ||
``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner | ||
was found. Otherwise ``request.jwt_partner_id`` is left falsy. Additional | ||
strategies can be provided by overriding the ``_get_partner_id()`` method | ||
and extending the ``partner_id_strategy`` selection field. | ||
|
||
The decoded JWT payload is stored in ``request.jwt_payload``. | ||
|
||
The ``public_auth_jwt`` method delegates authentication to the standard Odoo ``public`` | ||
method when the Authorization header is not set. If it is set, the regular JWT | ||
authentication is performed as described above. This method is useful for public | ||
endpoints that need to work for anonymous users, but can be enhanced when an | ||
authenticated user is know. A typical use case is a "add to cart" endpoint that can work | ||
for anonymous users, but can be enhanced by binding the cart to a known customer when | ||
the authenticated user is known. | ||
|
||
You can enable a cookie mode on JWT validators. In this case, the JWT payload obtained | ||
from the ``Authorization`` header is returned as a Http-Only cookie. This mode is | ||
sometimes simpler for front-end applications which do not then need to store and protect | ||
the JWT token across requests and can simply rely on the cookie management mechanisms of | ||
browsers. When both the ``Authorization`` header and a cookie are provided, the cookie | ||
is ignored in order to let clients authenticate with a different user by providing a new | ||
JWT token. | ||
|
||
Bug Tracker | ||
=========== | ||
|
||
Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_. | ||
In case of trouble, please check there if your issue has already been reported. | ||
If you spotted it first, help us to smash it by providing a detailed and welcomed | ||
`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_. | ||
|
||
Do not contact contributors directly about support or help with technical issues. | ||
|
||
Credits | ||
======= | ||
|
||
Authors | ||
~~~~~~~ | ||
|
||
* ACSONE SA/NV | ||
|
||
Contributors | ||
~~~~~~~~~~~~ | ||
|
||
* Stéphane Bidoul <[email protected]> | ||
|
||
Maintainers | ||
~~~~~~~~~~~ | ||
|
||
This module is maintained by the OCA. | ||
|
||
.. image:: https://odoo-community.org/logo.png | ||
:alt: Odoo Community Association | ||
:target: https://odoo-community.org | ||
|
||
OCA, or the Odoo Community Association, is a nonprofit organization whose | ||
mission is to support the collaborative development of Odoo features and | ||
promote its widespread use. | ||
|
||
.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px | ||
:target: https://github.com/sbidoul | ||
:alt: sbidoul | ||
|
||
Current `maintainer <https://odoo-community.org/page/maintainer-role>`__: | ||
|
||
|maintainer-sbidoul| | ||
|
||
This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_jwt>`_ project on GitHub. | ||
|
||
You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
from . import models |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Copyright 2021 ACSONE SA/NV | ||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl). | ||
|
||
{ | ||
"name": "Auth JWT", | ||
"summary": """ | ||
JWT bearer token authentication.""", | ||
"version": "17.0.1.1.0", | ||
"license": "LGPL-3", | ||
"author": "ACSONE SA/NV,Odoo Community Association (OCA)", | ||
"maintainers": ["sbidoul"], | ||
"website": "https://github.com/OCA/server-auth", | ||
"depends": [], | ||
"external_dependencies": {"python": ["pyjwt", "cryptography"]}, | ||
"data": ["security/ir.model.access.csv", "views/auth_jwt_validator_views.xml"], | ||
"demo": [], | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
# Copyright 2021 ACSONE SA/NV | ||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl) | ||
|
||
from werkzeug.exceptions import InternalServerError, Unauthorized | ||
|
||
|
||
class UnauthorizedMissingAuthorizationHeader(Unauthorized): | ||
pass | ||
|
||
|
||
class UnauthorizedMissingCookie(Unauthorized): | ||
pass | ||
|
||
|
||
class UnauthorizedMalformedAuthorizationHeader(Unauthorized): | ||
pass | ||
|
||
|
||
class UnauthorizedSessionMismatch(Unauthorized): | ||
pass | ||
|
||
|
||
class AmbiguousJwtValidator(InternalServerError): | ||
pass | ||
|
||
|
||
class JwtValidatorNotFound(InternalServerError): | ||
pass | ||
|
||
|
||
class UnauthorizedInvalidToken(Unauthorized): | ||
pass | ||
|
||
|
||
class UnauthorizedPartnerNotFound(Unauthorized): | ||
pass | ||
|
||
|
||
class UnauthorizedCompositeJwtError(Unauthorized): | ||
"""Indicate that multiple errors occurred during JWT chain validation.""" | ||
|
||
def __init__(self, errors): | ||
self.errors = errors | ||
super().__init__( | ||
"Multiple errors occurred during JWT chain validation:\n" | ||
+ "\n".join( | ||
"{}: {}".format(validator_name, error) | ||
for validator_name, error in self.errors.items() | ||
) | ||
) | ||
|
||
|
||
class ConfigurationError(InternalServerError): | ||
pass |
Oops, something went wrong.