[16.0][IMP]auth_jwt: Allow to not renew the cookie in the responses

[jesusVMayor]

No description provided.

[OCA-git-bot]

Hi @sbidoul,
some modules you are maintaining are being modified, check this out!

[sbidoul]

I don't understand this part. If we don't check that the cookie is signed with the expected secret, a malicious client could send a forged cookie, right?

[jesusVMayor]

No, if renew_cookie_on_response is False, _decode will be called with secret=None, so the funcion will check the cookie with the secret or public key configured in the validator.

[sbidoul]

This completely disable the cookie setting mechanism is renew_cookie_on_response is not set, so that's probably not what you intended?

[jesusVMayor]

yes, is the idea. We need a flow where odoo only checks the cookie/header and validate against the secret/public key configured in the validator, we dont need the cookie to be setted again in the response

[sbidoul]

I don't get it, sorry. What will then set the cookie in the first place?

[jesusVMayor]

Another service in the same domain, the cookie can be shared, or odoo itself in a public controller who checks the credentials and sets the cookie.

Our goal is to implement a flow in the module where it only checks the token and give access to the endpoint.
This can be done with the token in the header, but is a problem with cookies, because odoo set it again with his own secret and also extends the expire time.

[github-actions]

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.