yezyilomo / odoo-rest-api

Module which expose Odoo as a REST API
MIT License
209 stars 169 forks source link

Sending session_id in Cookies doesn't work #54

Closed tillyr-cube48 closed 3 years ago

tillyr-cube48 commented 4 years ago

Hi,

Thanks for your module this makes our work very simpler. I am working in Odoo 13

As mentioned, due to security purpose I sent the session_id in cookies but instead of returning the results I get Odoo Login page as the response (302 error - Redirection) for GET and DELETE Methods and Odoo session expired response for POST

could you please guide me on this issue?

yezyilomo commented 4 years ago

How are you sending your cookie?.

meswapnilwagh commented 3 years ago

I am also facing same issue, I am using postman to test the api, /auth route is working fine but with other route's I am facing same redirection issue and getting odoo login page as response.

Please find below postman request and Odoo logs

PostmanRequest

Screen Shot 2020-12-03 at 2 17 47 PM

Odoo-Logs

Screen Shot 2020-12-03 at 2 15 30 PM

2020-12-03 10:07:50,550 1 DEBUG pls odoo.modules.registry: Multiprocess signaling check: [Registry - 2 -> 2] [Cache - 18 -> 18] 2020-12-03 10:07:50,566 1 INFO pls werkzeug: 172.27.0.1 - - [03/Dec/2020 10:07:50] "GET /api/res.users HTTP/1.1" 302 - 1 0.001 0.018 2020-12-03 10:07:50,582 1 DEBUG pls odoo.modules.registry: Multiprocess signaling check: [Registry - 2 -> 2] [Cache - 18 -> 18] 2020-12-03 10:07:50,601 1 INFO pls werkzeug: 172.27.0.1 - - [03/Dec/2020 10:07:50] "GET /web/login?redirect=http%3A%2F%2Flocalhost%3A8069%2Fapi%2Fres.users HTTP/1.1" 200 - 4 0.003 0.018

Just to add more I am using postaman intercepter for sending cookies & working with odoo14

jeffery9 commented 3 years ago

because nested a web/session/authenticate/ call inside /auth, this is wrong for Odoo, there is 2 different sessions, each one is auth =none, and/auth return the wrong one that has not be authenticated.

BTW. auth= none should set uid = none in session, means the user in session has not login.

there have 2 solution, 1, dont use /auth, use /web/session/authenticate instead 2, rewrite /auth, call odoo internal call http.request.session.authenticate directly

good lucks.