/v2/signin service - Githubissues

shopinvader / odoo-shopinvader

Odoo Modules. Sorry Magento, Shopinvader is coming

GNU Affero General Public License v3.0

119 stars 103 forks source link

/v2/signin service #1428

Open sbidoul opened 11 months ago

sbidoul commented 11 months ago

@route("/signin")
def signin(
   partner: Annotated[Partner | None, odoo.addon.fastapi_auth_jwt.dependencies.auth_jwt_optionally_authenticated_partner],
   payload: Annotated[Payload, odoo.addon.fastapi_auth_jwt.dependencies.auth_jwt_authenticated_payload],
   cookies: Annotated[Cookies, depends...],
):
    if not partner:
        partner = env["...signin.helper.."]._create_partner_from_payload(payload)
    anonymous_partner = env["res.parter"]._get_anonymous_partner__cookie(cookies)
    cart = env["sale.order"].get_cart_for_partner(partner)
    anonymous_cart = env["sale.order"].get_cart_for_partner(anonymous_partner)
    ...

Attention points / open questions:

Verified email notion: If we use the email from the token we can assume that that email is verified if the IDP is configured correctly. However in Odoo could we situations where the email field is populated with an unverified email? Maybe a shopinvader_verified_email module with a simple email_verified flag that we can set on partner creation, or let a backend user set if they are sure of the customer email.
What to do when the partner has an open cart, but also has an anonymous cart at the same time.
Can an anonymous partner create addresses? What to do with these addresses on signin?

sbidoul commented 11 months ago

@sebastienbeau ^ have you thought about verified emails on partners yet?

qgroulard commented 10 months ago

When /signin is called:

If the jwt partner doesn't exist in Odoo: create it
If there is an anonymous cart, transfer it to the real partner (remove the previous partner cart if there is one)
Remove the anonymous partner
Delete the anonymous cookie

simahawk commented 6 months ago

Can we avoid binding this to JWT only? This API should be shared across all kinds of auth types. N'est pas?

sbidoul commented 6 months ago

Can we avoid binding this to JWT only?

Maybe. I don't know how to generalize that yet, though. In shopinvader_api_signin_jwt, we use information contained in the authenticated JWT payload to create the partner (name, email).

I'd say we need someone to explore how it would work with another authentication mechanism first, and then we can look at unifying things, if at all possible.

That said, the logic to convert an anonymous partner/cart to a known one could live elsewhere than shopinvader_api_signin_jwt. Note quite sure where, though. This logic depends on shopinvader_anonymous_partner.

hparfr commented 6 months ago

For the record; our current implementation of this in v14 is https://github.com/shopinvader/odoo-shopinvader/pull/1251

We took care of some of the corner cases.

sbidoul commented 6 months ago

Note quite sure where, though

Maybe the logic to transfer a cart from one partner to another could go in sale_cart

simahawk commented 6 months ago

Note quite sure where, though

Maybe the logic to transfer a cart from one partner to another could go in sale_cart

I was thinking of this. To me it makes more sense.

When /signin is called:

1. If the jwt partner doesn't exist in Odoo: create it

Regarding when to create the anon partner... When do you expect this to happen? (I've left a comment on the PR). Do you expect to have a call to signin w/o customer details (eg: no email header in my case) before calling the cart endpoint?

A possibile scenario could be that the customer clicks on "add to cart" and if not authenticated, it is asked to register or to continue as guest and if the last choice is taken you call /signin. If this is the case I would say that is better to have a specific endpoint for this (eg /signing/anon or /signin-anon.