[17.0][ADD] fastapi_auth_apikey#544
Conversation
6c2be3c to
e2d6874
Compare
|
@simahawk @lmignon @etobella @sbidoul
We've seen the module at https://github.com/OCA/server-auth/tree/17.0/auth_api_key . It provides an additional APIKey layer to the system and more maintenance, etc. However, it's more complex, and if you only want it for this FastAPI case, you'll have to maintain a much more complex module (I'm not saying it's incorrect, just that it's for more complex cases). How would you view the use of this proposed concept? |
|
@Tisho99 Thank you for the proposal. A first glance at the code suggests that this is very interesting. I'll try to take a closer look over the next few days. |
| raise HTTPException( | ||
| status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect API Key" | ||
| ) | ||
| if endpoint.user_id.id and endpoint.user_id.id != uid: |
There was a problem hiding this comment.
@Tisho99 You link your endpoint to only one user? The user_id on the endpoint is the technical user running the process. The authentication is a way to authenticate a partner requesting the endpoint. I'm may be wrong when reading your code but this line will restrict the use of this endpoint to the partner linked to the user_id defined on the endpoint.
There was a problem hiding this comment.
Hi @lmignon, sorry for the late response
Yes, my code works that way. Do you see any issue with that approach?
Since API keys in Odoo can be generated by any internal user, this effectively means that, without additional restrictions, any internal user could potentially gain access to the endpoint.
I’ll be thinking about a better approach
There was a problem hiding this comment.
@lmignon How do you see this approach? Do you think it would be better to use a checkbox to indicate which users are allowed?
|
Is this a duplicate of #544 ? |
This is the 544. |
|
My bad I meant #539 |
Owl-y shit, I hadn't seen the module. I think the idea is a little different since it's still done by scope, so it's not the idea of keeping two modules identical. I don't know what you think about this point of view; I understand that OCA would follow the other module. In my opinion, I'm not entirely convinced that you can see the API key logs. In this case, a scope is used to mask that point. |
|
@ValentinVinagre As there was an existing module in v16 (but was never merged?) But to respect other work if @Tisho99 could base his work on it, that would be nice. (especially if it needs some migration scripts) Otherwise I like the module name fastapi_auth_api_key better. With api and key separated as the camelcase APIKey translate to api_key in snake case. ping @henrybackman @mmequignon |
Okay, so that's why we created this module, and the OCA module is based on the "auth_api_key_group" module, as @Tisho99 points out. |
|
@Tisho99 change name to: Fastapi_auth_odoo_api_key or Fastapi_auth_scope_api_key |
This module provides
FastAPIDependsto allow authentication with Odoo's built inAPI Keys
T-8323