/v2/signin service

[sbidoul]

@route("/signin")
def signin(
   partner: Annotated[Partner | None, odoo.addon.fastapi_auth_jwt.dependencies.auth_jwt_optionally_authenticated_partner],
   payload: Annotated[Payload, odoo.addon.fastapi_auth_jwt.dependencies.auth_jwt_authenticated_payload],
   cookies: Annotated[Cookies, depends...],
):
    if not partner:
        partner = env["...signin.helper.."]._create_partner_from_payload(payload)
    anonymous_partner = env["res.parter"]._get_anonymous_partner__cookie(cookies)
    cart = env["sale.order"].get_cart_for_partner(partner)
    anonymous_cart = env["sale.order"].get_cart_for_partner(anonymous_partner)
    ...

Attention points / open questions:

• Verified email notion: If we use the email from the token we can assume that that email is verified if the IDP is configured correctly. However in Odoo could we situations where the email field is populated with an unverified email? Maybe a shopinvader_verified_email module with a simple email_verified flag that we can set on partner creation, or let a backend user set if they are sure of the customer email.
• What to do when the partner has an open cart, but also has an anonymous cart at the same time.
• Can an anonymous partner create addresses? What to do with these addresses on signin?

[sbidoul]

@sebastienbeau ^ have you thought about verified emails on partners yet?

[qgroulard]

When /signin is called:

1. If the jwt partner doesn't exist in Odoo: create it
2. If there is an anonymous cart, transfer it to the real partner (remove the previous partner cart if there is one)
3. Remove the anonymous partner
4. Delete the anonymous cookie

[simahawk]

Can we avoid binding this to JWT only? This API should be shared across all kinds of auth types. N'est pas?

[sbidoul]

Can we avoid binding this to JWT only?

Maybe. I don't know how to generalize that yet, though. In shopinvader_api_signin_jwt, we use information contained in the authenticated JWT payload to create the partner (name, email).

I'd say we need someone to explore how it would work with another authentication mechanism first, and then we can look at unifying things, if at all possible.

That said, the logic to convert an anonymous partner/cart to a known one could live elsewhere than shopinvader_api_signin_jwt. Note quite sure where, though. This logic depends on shopinvader_anonymous_partner.

[hparfr]

For the record; our current implementation of this in v14 is #1251

We took care of some of the corner cases.

[sbidoul]

Note quite sure where, though

Maybe the logic to transfer a cart from one partner to another could go in sale_cart

[simahawk]

Note quite sure where, though

Maybe the logic to transfer a cart from one partner to another could go in sale_cart

I was thinking of this. To me it makes more sense.

When /signin is called:

1. If the jwt partner doesn't exist in Odoo: create it

Regarding when to create the anon partner... When do you expect this to happen? (I've left a comment on the PR).
Do you expect to have a call to signin w/o customer details (eg: no email header in my case) before calling the cart endpoint?

A possibile scenario could be that the customer clicks on "add to cart" and if not authenticated, it is asked to register or to continue as guest and if the last choice is taken you call /signin. If this is the case I would say that is better to have a specific endpoint for this (eg /signing/anon or /signin-anon.