wip

Author: Julien00859

content/developer/reference/external_api.rst

@@ -1,22 +1,22 @@
-============
-External API
-============
+================
+External RPC API
+================
+
+.. deprecated:: 19.0
 
 Odoo is usually extended internally via modules, but many of its features and
 all of its data are also available from the outside for external analysis or
 integration with various tools. Part of the :ref:`reference/orm/model` API is
 easily available over XML-RPC_ and accessible from a variety of languages.
 
-.. important::
-   Starting with PHP8, the XML-RPC extension may not be available by default.
-   Check out the `manual <https://www.php.net/manual/en/xmlrpc.installation.php>`_
-   for the installation steps.
+Starting with PHP8, the XML-RPC extension may not be available by default.
+Check out the `manual <https://www.php.net/manual/en/xmlrpc.installation.php>`_
+for the installation steps.
 
-.. note::
-   Access to data via the external API is only available on *Custom* Odoo pricing plans. Access to
-   the external API is not available on *One App Free* or *Standard* plans. For more information
-   visit the `Odoo pricing page <https://www.odoo.com/pricing-plan>`_ or reach out to your Customer
-   Success Manager.
+Access to data via the external API is only available on *Custom* Odoo pricing plans. Access to
+the external API is not available on *One App Free* or *Standard* plans. For more information
+visit the `Odoo pricing page <https://www.odoo.com/pricing-plan>`_ or reach out to your Customer
+Success Manager.
 
 .. seealso::
    - :doc:`Tutorial on web services <../howtos/web_services>`

content/developer/reference/external_json2_api.rst

@@ -16,32 +16,96 @@ Request
 
 POST a json object at the ``/json/2/<model>/<method>`` URL. 
 
-.. code:: http
-
-   POST /json/2/res.partner/search_read HTTP/1.1
-   Host: mycompany.odoo.com
-   X-Odoo-Database: mycompany
-   Authorization: Bearer 6578616d706c65206a736f6e20617069206b6579
-   Content-Type: application/json; charset=utf-8
-   User-Agent: mysoftware python-requests/2.25.1
 
-   {
-      "ids": [],
-      "context": {
-         "lang": "en_US"
+.. tabs::
+
+   .. code-tab:: http
+
+      POST /json/2/res.partner/search_read HTTP/1.1
+      Host: mycompany.odoo.com
+      X-Odoo-Database: mycompany
+      Authorization: Bearer 6578616d706c65206a736f6e20617069206b6579
+      Content-Type: application/json; charset=utf-8
+      User-Agent: mysoftware python-requests/2.25.1
+
+      {
+         "ids": [],
+         "context": {
+            "lang": "en_US"
+         }
+         "domain": [
+            ["name", "ilike", "%deco%"],
+            ["is_company", "=", true]
+         ],
+         "fields": ["name"],
       }
-      "domain": [
-         ["name", "ilike", "%deco%"],
-         ["is_company", "=", true]
-      ],
-      "fields": ["name"],
-   }
+
+   .. code-tab:: python
+
+      import requests
+
+      HOST = "https://mycompany.odoo.com"
+      DATABASE = "mycompany"
+      API_KEY = ...  # get it from a secure location
+
+      response = requests.post(
+          HOST + "/json/2/res.partner/search_read",
+          headers={
+              "Authorization": f"Bearer {API_KEY}",
+              "X-Odoo-Database": DATABASE,
+          },
+          json={
+              "ids": [],
+              "context": {
+                  "lang": "en_US",
+              }
+              "domain": [
+                  ("name", "ilike", "%deco%"),
+                  ("is_company", "=", True),
+              ],
+              "fields": ["name"],
+          },
+      )
+      response.raise_for_status()
+      data = response.json()
+
+   .. code-tab:: javascript
+
+      (async () => {
+          const HOST = "https://mycompany.odoo.com";
+          const DATABASE = "mycompany";
+          const API_KEY = ;  // get it from a secure location
+
+          const request = {
+              method: "POST",
+              headers: {
+                  "Content-Type": "application/json",
+                  "Authorization": "Bearer " + API_KEY,
+                  "X-Odoo-Database": DATABASE,
+              },
+              body: {
+                  domain: [
+                      ["name", "ilike", "%deco%"],
+                      ["is_company", "=", true],
+                  ],
+                  fields: ["name"],
+              },
+          };
+    
+          const response = await fetch(HOST + "/json/2/res.partner/search_read", request);
+          if (response.ok) {
+              const data = await response.json();
+              console.log(data)
+          } else {
+              // Handle errors
+          }
+      })();
 
 The body must be a json-object containing the arguments for the model's method. Both ``ids`` and
 ``context`` are special arguments: they are used to craft the environment and recordset on which the
 method is executed.
 
-The headers ``Host``, ``Authorization`` (bearer + api key) and ``Content-Type`` are required. The 
+The headers ``Host``, ``Authorization`` with an API key and ``Content-Type`` are required. The 
 ``X-Odoo-Database`` header is only necessary when multiple databases are hosted behind a same
 ``Host``. A ``User-Agent`` with the name of the software where the request comes from is
 recommended.
@@ -67,7 +131,6 @@ A **200 OK** status with the method's return value serialized as json in the bod
       {"id": 25, "name": "Deco Addict"}
    ]
 
-
 Error
 -----
 
@@ -84,19 +147,6 @@ A **4xx**/**5xx** status with the error message serialized as a json string in t
 The complete traceback is available in the server log, at the same date as the error response.
 
 
-
-Database
-========
-
-Depending on the deploiement, the ``Host`` and/or ``X-Odoo-Database`` request headers might be
-required. The ``Host`` header is required on servers where Odoo is installed next to other web
-applications, so a web-server/reverse-proxy is able to route the request to the Odoo server. The
-``X-Odoo-Database`` header is required when a single Odoo server hosts multiple databases, and that
-:ref:`dbfilter` wasn't configured to use the ``Host`` header.
-
-Most HTTP client libraries automatically set the ``Host`` header using the connection url.
-
-
 API Key
 =======
 
@@ -119,13 +169,14 @@ Create a new API key for a user via :guilabel:`Preferences`, :guilabel:`Account
 
 A description and a duration are needed to create a new api key. The description makes it possible
 to identify the key, and to determine later whether the key is still in use or should be removed.
-It should be as clear and complete as possible. The duration determines the lifetime of the key
-after which the the key becomes invalid. It is recommended to set a short duration (typically 1 day)
-for interactive usage. It is not possible to create keys that last for more than 3 months, it means
-that long lasting keys must be rotated at least once every 3 months.
+The duration determines the lifetime of the key after which the the key becomes invalid. It is
+recommended to set a short duration (typically 1 day) for interactive usage. It is not possible to
+create keys that last for more than 3 months, it means that long lasting keys must be rotated at
+least once every 3 months.
 
-The :guilabel:`Generate Key` creates a 20 bytes (160 bits) strong random key. Its value appears on
-screen, this is the only time and place the key is visible on screen, it must be copied, kept secret and stored somewhere secure. If it ever gets compromized or lost, then it must be removed.
+The :guilabel:`Generate Key` creates a 160 bits strong random key. Its value appears on screen, this
+is the only time and place the key is visible on screen. It must be copied, kept secret and stored
+somewhere secure. If it ever gets compromized or lost, then it must be removed.
 
 Please refer to OWASP's `Secrets Management Cheat Sheet`_ for further guidance on the management of
 API keys.
@@ -137,8 +188,7 @@ Access Rights
 =============
 
 The JSON-2 API uses the standard :ref:`security <reference/security>` model of Odoo. All operations
-are validated against the access rights, record rules and field accesses granted to the current
-user. The current user is used as well for the :ref:`reference/fields/automatic/log_access`.
+are validated against the access rights, record rules and field accesses of the user.
 
 For **interfactive usage**, such as discovering the API or running one-time scripts, it is fine to
 use a **personal account**.
@@ -151,12 +201,23 @@ Using dedicated bot users has several benefits:
 * The minimum required permissions can be granted to the bot, limiting the impact may the API key
   gets compromised;
 * The password can be set empty to disable login/password authentication, limiting the likelihood
-  the account get compromized;
-* The :ref:`reference/fields/automatic/log_access` use the bot account. No internal user gets
-  impersonalized.
+  the account gets compromized;
+* The :ref:`reference/fields/automatic/log_access` use the bot account. No user gets impersonalized.
+
+
+Database
+========
+
+Depending on the deploiement, the ``Host`` and/or ``X-Odoo-Database`` request headers might be
+required. The ``Host`` header is required on servers where Odoo is installed next to other web
+applications, so a web-server/reverse-proxy is able to route the request to the Odoo server. The
+``X-Odoo-Database`` header is required when a single Odoo server hosts multiple databases, and that
+:ref:`dbfilter` wasn't configured to use the ``Host`` header.
+
+Most HTTP client libraries automatically set the ``Host`` header using the connection url.
 
 
 Transaction
 ===========
 
-.. TODO
+