Merge PR #751 into 17.0

Signed-off-by sbidoul
OCA · Jan 18, 2025 · 13d21c6 · 13d21c6
2 parents bfd34e0 + 559b3fe
commit 13d21c6
Show file tree

Hide file tree

Showing 22 changed files with 2,843 additions and 0 deletions.
diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
@@ -0,0 +1,164 @@
+========
+Auth JWT
+========
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:d22309ac82ef1eb8879974683b10d4be288eb330fd7e250927f1a8d602dc3988
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_jwt
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_jwt
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+JWT bearer token authentication.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+This module requires the ``pyjwt`` library to be installed.
+
+Usage
+=====
+
+This module lets developpers add a new ``jwt`` authentication method on
+Odoo controller routes.
+
+To use it, you must:
+
+- Create an ``auth.jwt.validator`` record to configure how the JWT token
+  will be validated.
+- Add an ``auth="jwt_{validator-name}"`` or
+  ``auth="public_or_jwt_{validator-name}"`` attribute to the routes you
+  want to protect where ``{validator-name}`` corresponds to the name
+  attribute of the JWT validator record.
+
+The ``auth_jwt_demo`` module provides examples.
+
+The JWT validator can be configured with the following properties:
+
+- ``name``: the validator name, to match the
+  ``auth="jwt_{validator-name}"`` route property.
+- ``audience``: a comma-separated list of allowed audiences, used to
+  validate the ``aud`` claim.
+- ``issuer``: used to validate the ``iss`` claim.
+- Signature type (secret or public key), algorithm, secret and JWK URI
+  are used to validate the token signature.
+
+In addition, the ``exp`` claim is validated to reject expired tokens.
+
+If the ``Authorization`` HTTP header is missing, malformed, or contains
+an invalid token, the request is rejected with a 401 (Unauthorized)
+code, unless the cookie mode is enabled (see below).
+
+If the token is valid, the request executes with the configured user id.
+By default the user id selection strategy is ``static`` (i.e. the same
+for all requests) and the selected user is configured on the JWT
+validator. Additional strategies can be provided by overriding the
+``_get_uid()`` method and extending the ``user_id_strategy`` selection
+field.
+
+The selected user is *not* stored in the session. It is only available
+in ``request.uid`` (and thus it is the one used in ``request.env``). To
+avoid any confusion and mismatches between the bearer token and the
+session, this module rejects requests made with an authenticated user
+session.
+
+Additionally, if a ``partner_id_strategy`` is configured, a partner is
+searched and if found, its id is stored in the
+``request.jwt_partner_id`` attribute. If ``partner_id_required`` is set,
+a 401 (Unauthorized) is returned if no partner was found. Otherwise
+``request.jwt_partner_id`` is left falsy. Additional strategies can be
+provided by overriding the ``_get_partner_id()`` method and extending
+the ``partner_id_strategy`` selection field.
+
+The decoded JWT payload is stored in ``request.jwt_payload``.
+
+The ``public_auth_jwt`` method delegates authentication to the standard
+Odoo ``public`` method when the Authorization header is not set. If it
+is set, the regular JWT authentication is performed as described above.
+This method is useful for public endpoints that need to work for
+anonymous users, but can be enhanced when an authenticated user is know.
+A typical use case is a "add to cart" endpoint that can work for
+anonymous users, but can be enhanced by binding the cart to a known
+customer when the authenticated user is known.
+
+You can enable a cookie mode on JWT validators. In this case, the JWT
+payload obtained from the ``Authorization`` header is returned as a
+Http-Only cookie. This mode is sometimes simpler for front-end
+applications which do not then need to store and protect the JWT token
+across requests and can simply rely on the cookie management mechanisms
+of browsers. When both the ``Authorization`` header and a cookie are
+provided, the cookie is ignored in order to let clients authenticate
+with a different user by providing a new JWT token.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* ACSONE SA/NV
+
+Contributors
+------------
+
+- Stéphane Bidoul <[email protected]>
+- Mohamed Alkobrosli <[email protected]>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
+    :target: https://github.com/sbidoul
+    :alt: sbidoul
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-sbidoul| 
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_jwt>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_jwt/__init__.py b/auth_jwt/__init__.py
@@ -0,0 +1 @@
+from . import models
diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
@@ -0,0 +1,20 @@
+# Copyright 2021 ACSONE SA/NV
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+{
+    "name": "Auth JWT",
+    "summary": """
+        JWT bearer token authentication.""",
+    "version": "17.0.1.0.0",
+    "license": "LGPL-3",
+    "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
+    "maintainers": ["sbidoul"],
+    "website": "https://github.com/OCA/server-auth",
+    "depends": [],
+    "external_dependencies": {"python": ["pyjwt", "cryptography"]},
+    "data": ["security/ir.model.access.csv", "views/auth_jwt_validator_views.xml"],
+    "demo": [],
+    "installable": True,
+    "application": False,
+    "auto_install": False,
+}
diff --git a/auth_jwt/exceptions.py b/auth_jwt/exceptions.py
@@ -0,0 +1,54 @@
+# Copyright 2021 ACSONE SA/NV
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl)
+
+from werkzeug.exceptions import InternalServerError, Unauthorized
+
+
+class UnauthorizedMissingAuthorizationHeader(Unauthorized):
+    pass
+
+
+class UnauthorizedMissingCookie(Unauthorized):
+    pass
+
+
+class UnauthorizedMalformedAuthorizationHeader(Unauthorized):
+    pass
+
+
+class UnauthorizedSessionMismatch(Unauthorized):
+    pass
+
+
+class AmbiguousJwtValidator(InternalServerError):
+    pass
+
+
+class JwtValidatorNotFound(InternalServerError):
+    pass
+
+
+class UnauthorizedInvalidToken(Unauthorized):
+    pass
+
+
+class UnauthorizedPartnerNotFound(Unauthorized):
+    pass
+
+
+class UnauthorizedCompositeJwtError(Unauthorized):
+    """Indicate that multiple errors occurred during JWT chain validation."""
+
+    def __init__(self, errors):
+        self.errors = errors
+        super().__init__(
+            "Multiple errors occurred during JWT chain validation:\n"
+            + "\n".join(
+                f"{validator_name}: {error}"
+                for validator_name, error in self.errors.items()
+            )
+        )
+
+
+class ConfigurationError(InternalServerError):
+    pass