Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TODO] issue with public service [help needed] #1093

Closed
wants to merge 1 commit into from
Closed

[TODO] issue with public service [help needed] #1093

wants to merge 1 commit into from

Conversation

sebastienbeau
Copy link
Contributor

@sebastienbeau sebastienbeau commented Sep 3, 2021
edited
Loading

@kevinkhao @lmignon @simahawk

  • I need to add a test to show the bug
  • need to think twice about the right solution. Adding sudo is maybe not the best idea, but adding extra right on public user is not a better one (as this will give to much read access on some record through native xmlrpc)

TODO solve

  • when you use the auth_api_key the setting are only return if you pass the website_key (indeed as their is not auth the auth api key is not used to get the website)
  • With the jwt auth we need to think twice about what is public and what is not public. For example you do not need to be authentificated to add a product to the cart. In case of auth_api_key maybe we want to keep the current behaviour and protect all service (so nothing will be public)

kevinkhao
kevinkhao approved these changes Sep 3, 2021
View reviewed changes
Copy link
Contributor

@kevinkhao kevinkhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sebastienbeau sebastienbeau changed the title [FIX] fix wrong auth method, we should keep the default one [FIX] api settings is broken due to access right Sep 6, 2021
@sebastienbeau
Copy link
Contributor Author

sebastienbeau commented Sep 7, 2021
edited
Loading

do not merge I need to add a test for reproducing the bug. Also I have changed the code after the approve.

@sebastienbeau sebastienbeau changed the title [FIX] api settings is broken due to access right [TODO] issue with public service [help needed] Sep 7, 2021
@shopinvader-git-bot
Copy link

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

@shopinvader-git-bot
Copy link

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

@sebastienbeau sebastienbeau added this to the 14.0 milestone Sep 18, 2021
@simahawk
Copy link
Contributor

simahawk commented Oct 5, 2021

I think that for these cases using sudo is fine. Having tests would be great.

@PierrickBrun PierrickBrun self-requested a review October 5, 2021 08:14
lmignon
lmignon requested changes Oct 8, 2021
View reviewed changes
shopinvader/components/service_context_provider.py
@@ -43,8 +43,10 @@ def _get_backend(self):
website_unique_key = self.request.httprequest.environ.get(
"HTTP_WEBSITE_UNIQUE_KEY"
)
return self.env["shopinvader.backend"]._get_from_website_unique_key(
website_unique_key
return (
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sebastienbeau IMO we should never use sudo in this case... Services are run with a technical user. Therefore, the technical user should have the right to read backend information.

@hparfr
Copy link
Contributor

hparfr commented Jan 5, 2022

With the jwt auth we need to think twice about what is public and what is not public. For example you do not need to be authentificated to add a product to the cart. In case of auth_api_key maybe we want to keep the current behaviour and protect all service (so nothing will be public)

Let's clarify a little bit.

/cart (add a product, change qty...) needs the user to be authenticated. It can be with an existing account or anonymously. It's not public.

/settings (currencies, supported languages...) can be public, without any authentication.

need to think twice about the right solution. Adding sudo is maybe not the best idea, but adding extra right on public user is not a better one (as this will give to much read access on some record through native xmlrpc)

Having one shopinvader technical user is necessary to use like a public_user.
env.with_user(shopinvader_technical_user).get_backend()

We can also have 2 users (one privilegied with write access), but I do not know if it's worth the effort.

when you use the auth_api_key the setting are only return if you pass the website_key (indeed as their is not auth the auth api key is not used to get the website)

I see website_unique_key like a public identifier, not related to authentication.

@sbidoul
Copy link
Member

sbidoul commented Jan 28, 2022

@hparfr

/cart (add a product, change qty...) needs the user to be authenticated. It can be with an existing account or anonymously. It's not public

We discussed that at the sprint in Liège we concluded that /cart is public but must work with a non guessable unique cart id instead.

Indeed when working with a SPA front end, an anonymous user does not have a token at all and there is no concept of user session like with locomotive.

Hence the public_or_jwt auth method.

cc/ @lmignon

@simahawk
Copy link
Contributor

simahawk commented Jan 28, 2022
edited
Loading

I just had to fix this problem temporarely here https://github.com/shopinvader/odoo-shopinvader/pull/1108/commits

When you define a route as "public" ATM you must use sudo because the real user will be "Public User" and not the tech one.
Hence, each call to retrieve the backend or an api key will fail.

You don't really want to grant special permissions to the public user IMO and it's also tricky because there's a validation on which groups are assigned to this kind of users (eg: no internal group that might come via implied groups).

@lmignon
Copy link
Collaborator

lmignon commented Jan 28, 2022

@simahawk Be carefull if you use the "public" auth, you'll nerver get user info if the same service is called by an authenticated user if no odoo session is provided. That's why the public_or_jwt auth method has been developed. Moreover, with the recent changes into the rest_framework, you should reconsider the way you manage the security into your services (OCA/rest-framework#204). You service context provider is now responsible to provide the 'authenticated_partner_id'. You can see here how this information is provided when auth_jwt is used with base_rest. This information is made available into the record rule evaluation context. Therefore it's no more a good practice to use sudo into the method called by the rest_framework.

@hparfr
Copy link
Contributor

hparfr commented Jan 28, 2022

Thanks for this feedback.

I'm working on these issues these days. I will do a recap of our recent findings here.

My goal is to let the client (the browser) target the shopinvader api directly — SPA scenario.

There is multiple ways to keep a unique cart in a time span :
A) - non guessable cart_id sent on each request
B) - http session
C) - jwt token

We found some implementation of B and C in the wild for major e-commerce sites.

The C) is IMO the more elegant solution. The client always use a jwt token.

The good:

  • one way of doing. Easier to reason. Easier to explain to frontend devs. Less error prone when converting an anonymous user to registered user.
  • always bind a JWT to a partner : it will simplify code. Settings like language are stored on the partner.
  • allows new use cases, like let an anonymous partner to change his address to estimate transport fees

The bad:

  • have to create cleanup strategy of partners (like for abandoned carts)
  • keycloak does not support it (yet).

A) See above for "bind a cart" instead of "bind a user".
If the user open two tabs, he should have only one cart id. So we have some to do some work on frontend to ensure the cart unicity.

About permissions:

You don't really want to grant special permissions to the public user

Agree.

@sebastienbeau sebastienbeau added the change Change in existing module label Jun 14, 2023
@github-actions GitHub Actions
Copy link

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

@github-actions github-actions bot added the stale label Feb 11, 2024
@github-actions github-actions bot closed this Mar 17, 2024
@sbidoul
Copy link
Member

sbidoul commented Mar 18, 2024

To close the loop here, the current approach is summarized in #1510 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lmignon lmignon lmignon requested changes

@kevinkhao kevinkhao kevinkhao approved these changes

@PierrickBrun PierrickBrun Awaiting requested review from PierrickBrun

Assignees
No one assigned
Labels
change Change in existing module help wanted stale WIP
Projects
None yet
Milestone
14.0
Development

Successfully merging this pull request may close these issues.
8 participants
@sebastienbeau @shopinvader-git-bot @simahawk @hparfr @sbidoul @lmignon @PierrickBrun @kevinkhao