Skip to content

[19.0][ADD] auth_api_key_native_generate: endpoint to generate native API key from credentials#970

Open
xaviedoanhduy wants to merge 1 commit into
OCA:19.0from
xaviedoanhduy:19.0-add-auth_api_key_native_generate
Open

[19.0][ADD] auth_api_key_native_generate: endpoint to generate native API key from credentials#970
xaviedoanhduy wants to merge 1 commit into
OCA:19.0from
xaviedoanhduy:19.0-add-auth_api_key_native_generate

Conversation

@xaviedoanhduy

Copy link
Copy Markdown

New module auth_api_key_native_generate (ticket T68103).

Adds POST /api/auth/generate_api_key, exchanging a user's {db, login, password} for a native Odoo API key (res.users.apikeys) scoped to rpc. Response: {api_key, expiration_date}.

Behaviour

  • Credentials verified via native res.users.authenticate → goes through _assert_can_auth (native login cooldown / brute-force protection).
  • Two-factor-enabled users are refused (403); the endpoint only accepts a password.
  • Fixed validity window, 90 days by default, configurable via the auth_api_key_native_generate.duration system parameter and General Settings > Integrations.
  • No rolling renewal, existing keys are never revoked (multi-device).

Security hardening

  • auth="none" endpoint capped at 8 KiB body (413 on oversized) to avoid large-payload abuse.
  • Non-object JSON body rejected (400) instead of 500.
  • Docs note the reverse-proxy responsibilities (Basic Auth, rate limiting) and the proxy-mode requirement for the per-IP cooldown.

Status codes

  • 200 key issued
  • 400 missing/malformed/non-object
  • 401 bad credentials
  • 403 MFA enabled
  • 404 unknown db
  • 413 body too large.
image

@OCA-git-bot OCA-git-bot added series:19.0 mod:auth_api_key_native_generate Module auth_api_key_native_generate labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mod:auth_api_key_native_generate Module auth_api_key_native_generate series:19.0

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants