[17.0][IMP] auth_oauth_multi_token: make it compatible with odoo.sh "login as" #764
Conversation
| oauth_master_uuid = fields.Char( | ||
|
|
||
| # use the oauth_access_token field as oauth_master_uuid | ||
| oauth_access_token = fields.Char( | ||
| string="Master UUID", |
There was a problem hiding this comment.
You only need to define the default, isn't it?
There was a problem hiding this comment.
The origninal definition is this:
oauth_access_token = fields.Char(string='OAuth Access Token', readonly=True, copy=False, prefetch=False)
There was a problem hiding this comment.
The redefinition of labels cause a mix of terms across the system sometimes, so it's not the best option. And the required=True will provoke troubles everywhere.
There was a problem hiding this comment.
I am also not very happy for reusing this field. We could leave the string value as is and just add an comment that this field is used as Master UUID instead of access_token.
The required=True I just took from the oauth_master_uuid field, but I am not sure if this is needed to force the default creation? It shouldn't be empty or the same value as another user, to make sure that the access_token is not used by a different user.
CRogos
force-pushed
the
17.0-imp-auth_oauth_multi_token-odoo.sh
branch
3 times, most recently
from
024bcf6 to
890d7f7
Compare
CRogos
force-pushed
the
17.0-imp-auth_oauth_multi_token-odoo.sh
branch
from
890d7f7 to
6dfc1d7
Compare
I've added a migration script. I've also added a test and found out, that not the oldest but the second oldest token was removed when reaching max token number. |
Odoo.sh provides an option to login-in as a specified user.
When you install this OCA module auth_oauth_multi_token , the "connect" or "login as" of odoo.sh is not working anymore, but this is essential for the Odoo support.
This is caused by this change of the module:
server-auth/auth_oauth_multi_token/models/res_users.py
Lines 80 to 83 in 260f262
This causes, that the session_token (I assume generated by odoo.sh code) is not valid and the check here causes an automatic logout.
https://github.com/odoo/odoo/blob/7d3931bf36996cf5b51533e4a0a788ad8f3eb6c0/odoo/service/security.py#L11-L13C17
https://github.com/odoo/odoo/blob/7d3931bf36996cf5b51533e4a0a788ad8f3eb6c0/odoo/addons/base/models/res_users.py#L924-L941
My assumption is, that odoo.sh does not use the changes done by the _get_session_token_fields method, when creating the login session, but because the odoo.sh code is not public I cannot validate this assumption.
Meanwhile I also received and answer from Odoo and they are not willing/able to improve their implementation.
This PR bypasses the change of
def _get_session_token_fieldsand therefore stays compatible with Odoo.sh