From aabef97f548f780934d1fd72d87fab5108b8a675 Mon Sep 17 00:00:00 2001
From: thienvh <thienvh@trobz.com>
Date: Fri, 16 Jan 2026 14:09:45 +0700
Subject: [PATCH] [ADD] auth_session_logout_api

---
 auth_session_logout_api/README.rst            | 177 +++++++++++++++++
 auth_session_logout_api/__init__.py           |   2 +
 auth_session_logout_api/__manifest__.py       |  21 ++
 .../controllers/__init__.py                   |   1 +
 auth_session_logout_api/controllers/main.py   | 188 ++++++++++++++++++
 auth_session_logout_api/models/__init__.py    |   3 +
 .../models/auth_session_logout_audit.py       |  35 ++++
 .../models/res_config_settings.py             |  25 +++
 auth_session_logout_api/models/res_users.py   |  49 +++++
 auth_session_logout_api/readme/CONFIGURE.rst  |  23 +++
 .../readme/CONTRIBUTORS.rst                   |   2 +
 .../readme/DESCRIPTION.rst                    |  12 ++
 auth_session_logout_api/readme/USAGE.rst      |  58 ++++++
 .../security/ir.model.access.csv              |   2 +
 auth_session_logout_api/security/security.xml |  20 ++
 .../static/description/icon.png               | Bin 0 -> 9455 bytes
 .../static/description/index.html             |  92 +++++++++
 auth_session_logout_api/tests/__init__.py     |   1 +
 .../tests/test_force_logout.py                | 140 +++++++++++++
 .../views/auth_session_logout_audit_views.xml | 130 ++++++++++++
 .../views/res_config_settings_views.xml       |  73 +++++++
 .../odoo/addons/auth_session_logout_api       |   1 +
 setup/auth_session_logout_api/setup.py        |   6 +
 23 files changed, 1061 insertions(+)
 create mode 100644 auth_session_logout_api/README.rst
 create mode 100644 auth_session_logout_api/__init__.py
 create mode 100644 auth_session_logout_api/__manifest__.py
 create mode 100644 auth_session_logout_api/controllers/__init__.py
 create mode 100644 auth_session_logout_api/controllers/main.py
 create mode 100644 auth_session_logout_api/models/__init__.py
 create mode 100644 auth_session_logout_api/models/auth_session_logout_audit.py
 create mode 100644 auth_session_logout_api/models/res_config_settings.py
 create mode 100644 auth_session_logout_api/models/res_users.py
 create mode 100644 auth_session_logout_api/readme/CONFIGURE.rst
 create mode 100644 auth_session_logout_api/readme/CONTRIBUTORS.rst
 create mode 100644 auth_session_logout_api/readme/DESCRIPTION.rst
 create mode 100644 auth_session_logout_api/readme/USAGE.rst
 create mode 100644 auth_session_logout_api/security/ir.model.access.csv
 create mode 100644 auth_session_logout_api/security/security.xml
 create mode 100644 auth_session_logout_api/static/description/icon.png
 create mode 100644 auth_session_logout_api/static/description/index.html
 create mode 100644 auth_session_logout_api/tests/__init__.py
 create mode 100644 auth_session_logout_api/tests/test_force_logout.py
 create mode 100644 auth_session_logout_api/views/auth_session_logout_audit_views.xml
 create mode 100644 auth_session_logout_api/views/res_config_settings_views.xml
 create mode 120000 setup/auth_session_logout_api/odoo/addons/auth_session_logout_api
 create mode 100644 setup/auth_session_logout_api/setup.py

diff --git a/auth_session_logout_api/README.rst b/auth_session_logout_api/README.rst
new file mode 100644
index 0000000000..b84bb7e070
--- /dev/null
+++ b/auth_session_logout_api/README.rst
@@ -0,0 +1,177 @@
+=========================
+Force User Session Logout
+=========================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:placeholder
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/16.0/auth_session_logout_api
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_session_logout_api
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module provides a secure API endpoint to force logout user sessions remotely.
+
+**Features:**
+
+* Token-based authentication via HTTP headers (prevents token exposure in logs)
+* Supports both custom header and standard Bearer authentication
+* Lookup users by login or email (case insensitive)
+* Comprehensive audit logging for all API requests
+* Session invalidation via Odoo's session token mechanism
+
+When a force logout is triggered, the module updates a special field that is part of the session token computation.
+This invalidates all existing sessions for the target user, forcing them to re-authenticate.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+This module uses the standard **Administration / Settings** group (``base.group_system``)
+for access control. Only users with this group can:
+
+* View and generate the force logout API token
+* View all audit logs
+
+To generate the API token:
+
+#. Go to **Settings** → **General Settings**
+#. Find the **Force Session Logout** section
+#. Click **Generate Token** to create a new secure token
+#. Copy the token and store it securely for use in API calls
+
+**Security considerations:**
+
+* The token is transmitted via HTTP headers (not URL) to prevent exposure in logs
+* Store the token securely and rotate it periodically
+* Consider implementing rate limiting at the reverse proxy level
+* All API calls are logged for auditing purposes
+
+To view audit logs:
+
+#. Go to **Settings** → **Technical** → **Security** → **Force Logout Audit**
+
+Usage
+=====
+
+API Endpoint
+~~~~~~~~~~~~
+
+To force logout a user, make a POST request to::
+
+    POST /web/session/force_logout?user=LOGIN_OR_EMAIL
+
+**Authentication:**
+
+The API uses token-based authentication via HTTP headers. You can use either:
+
+* ``X-Force-Logout-Token: TOKEN`` - Custom header
+* ``Authorization: Bearer TOKEN`` - Standard Bearer authentication
+
+**Parameters:**
+
+* ``user`` (required): User login or email address to force logout (query parameter)
+
+**Example using cURL:**
+
+.. code-block:: bash
+
+    # Using X-Force-Logout-Token header
+    curl -X POST "https://your-odoo.com/web/session/force_logout?user=john.doe" \
+         -H "X-Force-Logout-Token: your-secure-token"
+
+    # Using Authorization Bearer header
+    curl -X POST "https://your-odoo.com/web/session/force_logout?user=john@example.com" \
+         -H "Authorization: Bearer your-secure-token"
+
+**Response Codes:**
+
+* ``200 OK`` - User successfully logged out
+
+  .. code-block:: json
+
+      {"success": true, "message": "User \"john.doe\" has been logged out successfully"}
+
+* ``401 Unauthorized`` - Invalid or missing token
+
+  .. code-block:: json
+
+      {"error": "Unauthorized", "message": "Invalid or missing authentication token"}
+
+* ``404 Not Found`` - User not found
+
+  .. code-block:: json
+
+      {"error": "User not found", "message": "User with login or email \"unknown\" not found"}
+
+* ``500 Internal Server Error`` - Server error
+
+Viewing Audit Logs
+~~~~~~~~~~~~~~~~~~
+
+#. Go to **Settings** → **Technical** → **Security** → **Force Logout Audit**
+#. View the list of all force logout operations
+#. Use filters to search by status, date, or target user
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_session_logout_api%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* Kencove
+
+Contributors
+~~~~~~~~~~~~
+
+* Thien Vo <thienvh@trobz.com>
+* Chau Le <chaulb@trobz.com>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_session_logout_api>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_session_logout_api/__init__.py b/auth_session_logout_api/__init__.py
new file mode 100644
index 0000000000..f7209b1710
--- /dev/null
+++ b/auth_session_logout_api/__init__.py
@@ -0,0 +1,2 @@
+from . import models
+from . import controllers
diff --git a/auth_session_logout_api/__manifest__.py b/auth_session_logout_api/__manifest__.py
new file mode 100644
index 0000000000..63ad92abd4
--- /dev/null
+++ b/auth_session_logout_api/__manifest__.py
@@ -0,0 +1,21 @@
+# Copyright 2026 Kencove (https://www.kencove.com)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+{
+    "name": "Force User Session Logout",
+    "summary": "Force logout user sessions via secure API endpoint",
+    "version": "16.0.1.0.0",
+    "category": "Tools",
+    "website": "https://github.com/OCA/server-auth",
+    "author": "Kencove, Odoo Community Association (OCA)",
+    "license": "AGPL-3",
+    "installable": True,
+    "depends": [
+        "base_setup",
+    ],
+    "data": [
+        "security/security.xml",
+        "security/ir.model.access.csv",
+        "views/auth_session_logout_audit_views.xml",
+        "views/res_config_settings_views.xml",
+    ],
+}
diff --git a/auth_session_logout_api/controllers/__init__.py b/auth_session_logout_api/controllers/__init__.py
new file mode 100644
index 0000000000..12a7e529b6
--- /dev/null
+++ b/auth_session_logout_api/controllers/__init__.py
@@ -0,0 +1 @@
+from . import main
diff --git a/auth_session_logout_api/controllers/main.py b/auth_session_logout_api/controllers/main.py
new file mode 100644
index 0000000000..b27c689cbe
--- /dev/null
+++ b/auth_session_logout_api/controllers/main.py
@@ -0,0 +1,188 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import logging
+import secrets
+
+from odoo import http
+from odoo.http import request
+
+_logger = logging.getLogger(__name__)
+
+
+class SessionLogoutController(http.Controller):
+
+    _USER_AGENT_MAX_LENGTH = 200
+    _ERROR_MESSAGE_MAX_LENGTH = 500
+
+    def _get_request_info(self):
+        """Get common request information for audit logging"""
+        return {
+            "request_ip": request.httprequest.environ.get("REMOTE_ADDR", "Unknown"),
+            "user_agent": request.httprequest.environ.get("HTTP_USER_AGENT", "")[
+                : self._USER_AGENT_MAX_LENGTH
+            ],
+        }
+
+    def _create_audit_log(self, status, target_user=None, error_message=None):
+        """Create audit log entry"""
+        vals = {
+            **self._get_request_info(),
+            "status": status,
+        }
+        if target_user:
+            vals["target_user_id"] = target_user.id
+        if error_message:
+            vals["error_message"] = str(error_message)[: self._ERROR_MESSAGE_MAX_LENGTH]
+        return request.env["auth.session.logout.audit"].sudo().create(vals)
+
+    def _get_token_from_header(self):
+        """Extract token from HTTP header.
+
+        Supports both 'X-Force-Logout-Token' header and 'Authorization: Bearer' header.
+        """
+        # Check X-Force-Logout-Token header first
+        token = request.httprequest.headers.get("X-Force-Logout-Token")
+        if token:
+            return token
+
+        # Fall back to Authorization header with Bearer scheme
+        auth_header = request.httprequest.headers.get("Authorization", "")
+        if auth_header.startswith("Bearer "):
+            return auth_header[7:]  # Remove "Bearer " prefix
+
+        return None
+
+    def _validate_token(self, token):
+        """Validate the provided token against system parameter"""
+        if not token:
+            return False
+
+        system_token = (
+            request.env["ir.config_parameter"]
+            .sudo()
+            .get_param("auth_session_logout_api.token")
+        )
+        if not system_token:
+            _logger.error("Logout token not configured")
+            return False
+
+        return secrets.compare_digest(token, system_token)
+
+    def _find_user(self, user_identifier):
+        """Find user by login or email (case insensitive)"""
+        if not user_identifier:
+            return None
+
+        ResUsers = request.env["res.users"].sudo()
+
+        # Try by login first (case insensitive)
+        user = ResUsers.search([("login", "=ilike", user_identifier)], limit=1)
+
+        if not user:
+            # Try by email (case insensitive)
+            user = ResUsers.search([("email", "=ilike", user_identifier)], limit=1)
+
+        return user
+
+    def _force_user_logout(self, user):
+        """Force logout of all sessions for the user"""
+        try:
+            # Use dedicated method to handle logout and counter increment
+            user.with_context(
+                auth_session_logout_api_call=True
+            ).sudo().action_force_logout()
+
+            self._create_audit_log("success", target_user=user)
+            _logger.info(
+                "Force logout triggered for user %s from IP %s",
+                user.login,
+                request.httprequest.environ.get("REMOTE_ADDR"),
+            )
+            return True
+
+        except Exception as e:
+            _logger.exception("Failed to force logout for user %s", user.login)
+            self._create_audit_log("error", target_user=user, error_message=str(e))
+            return False
+
+    @http.route(
+        "/web/session/force_logout",
+        type="http",
+        auth="none",
+        methods=["POST"],
+        csrf=False,
+    )
+    def force_logout(self, user=None, **kwargs):
+        """Force logout of user sessions
+
+        Authentication is done via HTTP headers:
+        - X-Force-Logout-Token: TOKEN
+        - Or: Authorization: Bearer TOKEN
+
+        Args:
+            user (str): User login or email to logout (query param or form data)
+
+        Returns:
+            JSON response with success/error status
+        """
+        try:
+            # Get token from header and validate
+            # Avoid using the token from request parameters to prevent it
+            # from being exposed in the URL and logs.
+            token = self._get_token_from_header()
+            if not self._validate_token(token):
+                self._create_audit_log(
+                    "unauthorized", error_message="Invalid or missing token"
+                )
+                return request.make_json_response(
+                    {
+                        "error": "Unauthorized",
+                        "message": "Invalid or missing authentication token",
+                    },
+                    status=401,
+                )
+
+            # Find user
+            target_user = self._find_user(user)
+            if not target_user:
+                self._create_audit_log(
+                    "user_not_found",
+                    error_message=f"User not found: {user}",
+                )
+                return request.make_json_response(
+                    {
+                        "error": "User not found",
+                        "message": f'User with login or email "{user}" not found',
+                    },
+                    status=404,
+                )
+
+            # Force logout
+            if self._force_user_logout(target_user):
+                return request.make_json_response(
+                    {
+                        "success": True,
+                        "message": f"User '{target_user.login}' has been logged out"
+                        " successfully",
+                    }
+                )
+            else:
+                return request.make_json_response(
+                    {
+                        "error": "Internal error",
+                        "message": "Failed to logout user. Please check logs for details.",
+                    },
+                    status=500,
+                )
+
+        except Exception as e:
+            _logger.exception("Unexpected error in force_logout")
+            self._create_audit_log("error", error_message=str(e))
+            return request.make_json_response(
+                {
+                    "error": "Internal server error",
+                    "message": "An unexpected error occurred. Please contact administrator.",
+                },
+                status=500,
+            )
diff --git a/auth_session_logout_api/models/__init__.py b/auth_session_logout_api/models/__init__.py
new file mode 100644
index 0000000000..4a0b8e1f7e
--- /dev/null
+++ b/auth_session_logout_api/models/__init__.py
@@ -0,0 +1,3 @@
+from . import res_config_settings
+from . import res_users
+from . import auth_session_logout_audit
diff --git a/auth_session_logout_api/models/auth_session_logout_audit.py b/auth_session_logout_api/models/auth_session_logout_audit.py
new file mode 100644
index 0000000000..161b279e35
--- /dev/null
+++ b/auth_session_logout_api/models/auth_session_logout_audit.py
@@ -0,0 +1,35 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import fields, models
+
+
+class AuthSessionLogoutAudit(models.Model):
+    _name = "auth.session.logout.audit"
+    _description = "Force Session Logout Audit Log"
+    _order = "create_date desc"
+
+    target_user_id = fields.Many2one(
+        "res.users",
+        string="Target User",
+        ondelete="set null",
+    )
+    target_user_login = fields.Char(
+        related="target_user_id.login",
+        store=True,
+    )
+    request_ip = fields.Char(
+        string="Request IP Address",
+    )
+    user_agent = fields.Char()
+    status = fields.Selection(
+        [
+            ("success", "Success"),
+            ("unauthorized", "Unauthorized"),
+            ("user_not_found", "User Not Found"),
+            ("error", "Error"),
+        ],
+        required=True,
+        default="success",
+    )
+    error_message = fields.Text()
diff --git a/auth_session_logout_api/models/res_config_settings.py b/auth_session_logout_api/models/res_config_settings.py
new file mode 100644
index 0000000000..9adc6eab0d
--- /dev/null
+++ b/auth_session_logout_api/models/res_config_settings.py
@@ -0,0 +1,25 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import secrets
+
+from odoo import fields, models
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = "res.config.settings"
+
+    auth_session_logout_token = fields.Char(
+        string="Force Logout Token",
+        config_parameter="auth_session_logout_api.token",
+        help="Secure token used to authenticate force logout API requests",
+    )
+
+    def action_generate_token(self):
+        """Generate a new secure token"""
+        new_token = secrets.token_urlsafe(32)
+        self.env["ir.config_parameter"].sudo().set_param(
+            "auth_session_logout_api.token", new_token
+        )
+        self.auth_session_logout_token = new_token
+        return True
diff --git a/auth_session_logout_api/models/res_users.py b/auth_session_logout_api/models/res_users.py
new file mode 100644
index 0000000000..84224b567f
--- /dev/null
+++ b/auth_session_logout_api/models/res_users.py
@@ -0,0 +1,49 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import uuid
+
+from odoo import _, api, fields, models
+from odoo.exceptions import AccessError
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    session_logout_key = fields.Char(
+        copy=False,
+        help="Random key included in session token computation. "
+        "Changing this value invalidates all existing sessions for the user.",
+    )
+    force_logout_count = fields.Integer(
+        help="Number of times this user has been force logged out",
+        default=0,
+        copy=False,
+    )
+
+    @api.model
+    def _get_session_token_fields(self):
+        """Add session_logout_key to session token computation."""
+        return super()._get_session_token_fields() | {"session_logout_key"}
+
+    def action_force_logout(self):
+        """Force logout all user sessions by changing session_logout_key.
+
+        Only users with Administration/Settings group can call this method.
+        External systems should use the API endpoint with token authentication.
+        """
+        self.ensure_one()
+        if not self.env.context.get("auth_session_logout_api_call", False):
+            user = self.env["res.users"].browse(self.env.uid)
+            if not user.has_group("base.group_system"):
+                raise AccessError(_("Only administrators can force logout users."))
+
+        # Generate new random key to invalidate all existing sessions
+        new_key = uuid.uuid4().hex
+        self.sudo().write(
+            {
+                "session_logout_key": new_key,
+                "force_logout_count": self.force_logout_count + 1,
+            }
+        )
+        return True
diff --git a/auth_session_logout_api/readme/CONFIGURE.rst b/auth_session_logout_api/readme/CONFIGURE.rst
new file mode 100644
index 0000000000..236ce95005
--- /dev/null
+++ b/auth_session_logout_api/readme/CONFIGURE.rst
@@ -0,0 +1,23 @@
+This module uses the standard **Administration / Settings** group (``base.group_system``)
+for access control. Only users with this group can:
+
+* View and generate the force logout API token
+* View all audit logs
+
+To generate the API token:
+
+#. Go to **Settings** → **General Settings**
+#. Find the **Force Session Logout** section
+#. Click **Generate Token** to create a new secure token
+#. Copy the token and store it securely for use in API calls
+
+**Security considerations:**
+
+* The token is transmitted via HTTP headers (not URL) to prevent exposure in logs
+* Store the token securely and rotate it periodically
+* Consider implementing rate limiting at the reverse proxy level
+* All API calls are logged for auditing purposes
+
+To view audit logs:
+
+#. Go to **Settings** → **Technical** → **Security** → **Force Logout Audit**
diff --git a/auth_session_logout_api/readme/CONTRIBUTORS.rst b/auth_session_logout_api/readme/CONTRIBUTORS.rst
new file mode 100644
index 0000000000..d6ae8cbf2b
--- /dev/null
+++ b/auth_session_logout_api/readme/CONTRIBUTORS.rst
@@ -0,0 +1,2 @@
+* Thien Vo <thienvh@trobz.com>
+* Chau Le <chaulb@trobz.com>
diff --git a/auth_session_logout_api/readme/DESCRIPTION.rst b/auth_session_logout_api/readme/DESCRIPTION.rst
new file mode 100644
index 0000000000..0895339838
--- /dev/null
+++ b/auth_session_logout_api/readme/DESCRIPTION.rst
@@ -0,0 +1,12 @@
+This module provides a secure API endpoint to force logout user sessions remotely.
+
+**Features:**
+
+* Token-based authentication via HTTP headers (prevents token exposure in logs)
+* Supports both custom header and standard Bearer authentication
+* Lookup users by login or email (case insensitive)
+* Comprehensive audit logging for all API requests
+* Session invalidation via Odoo's session token mechanism
+
+When a force logout is triggered, the module updates a special field that is part of the session token computation.
+This invalidates all existing sessions for the target user, forcing them to re-authenticate.
diff --git a/auth_session_logout_api/readme/USAGE.rst b/auth_session_logout_api/readme/USAGE.rst
new file mode 100644
index 0000000000..10569b73be
--- /dev/null
+++ b/auth_session_logout_api/readme/USAGE.rst
@@ -0,0 +1,58 @@
+API Endpoint
+~~~~~~~~~~~~
+
+To force logout a user, make a POST request to::
+
+    POST /web/session/force_logout?user=LOGIN_OR_EMAIL
+
+**Authentication:**
+
+The API uses token-based authentication via HTTP headers. You can use either:
+
+* ``X-Force-Logout-Token: TOKEN`` - Custom header
+* ``Authorization: Bearer TOKEN`` - Standard Bearer authentication
+
+**Parameters:**
+
+* ``user`` (required): User login or email address to force logout (query parameter)
+
+**Example using cURL:**
+
+.. code-block:: bash
+
+    # Using X-Force-Logout-Token header
+    curl -X POST "https://your-odoo.com/web/session/force_logout?user=john.doe" \
+         -H "X-Force-Logout-Token: your-secure-token"
+
+    # Using Authorization Bearer header
+    curl -X POST "https://your-odoo.com/web/session/force_logout?user=john@example.com" \
+         -H "Authorization: Bearer your-secure-token"
+
+**Response Codes:**
+
+* ``200 OK`` - User successfully logged out
+
+  .. code-block:: json
+
+      {"success": true, "message": "User \"john.doe\" has been logged out successfully"}
+
+* ``401 Unauthorized`` - Invalid or missing token
+
+  .. code-block:: json
+
+      {"error": "Unauthorized", "message": "Invalid or missing authentication token"}
+
+* ``404 Not Found`` - User not found
+
+  .. code-block:: json
+
+      {"error": "User not found", "message": "User with login or email \"unknown\" not found"}
+
+* ``500 Internal Server Error`` - Server error
+
+Viewing Audit Logs
+~~~~~~~~~~~~~~~~~~
+
+#. Go to **Settings** → **Technical** → **Security** → **Force Logout Audit**
+#. View the list of all force logout operations
+#. Use filters to search by status, date, or target user
diff --git a/auth_session_logout_api/security/ir.model.access.csv b/auth_session_logout_api/security/ir.model.access.csv
new file mode 100644
index 0000000000..99def48ab9
--- /dev/null
+++ b/auth_session_logout_api/security/ir.model.access.csv
@@ -0,0 +1,2 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_auth_session_logout_audit_admin,auth.session.logout.audit.admin,model_auth_session_logout_audit,base.group_system,1,1,1,1
diff --git a/auth_session_logout_api/security/security.xml b/auth_session_logout_api/security/security.xml
new file mode 100644
index 0000000000..be1bc675ff
--- /dev/null
+++ b/auth_session_logout_api/security/security.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- # Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+<odoo>
+    <!-- Global Record Rule: Block all users by default -->
+    <record id="rule_audit_global_block" model="ir.rule">
+        <field name="name">Force Logout Audit: Block all by default</field>
+        <field name="model_id" ref="model_auth_session_logout_audit" />
+        <field name="domain_force">[(0, '=', 1)]</field>
+        <field name="groups" eval="False" />
+    </record>
+
+    <!-- Record Rules: Admin can see all audit logs -->
+    <record id="rule_audit_admin_all_logs" model="ir.rule">
+        <field name="name">Force Logout Audit: Admin see all logs</field>
+        <field name="model_id" ref="model_auth_session_logout_audit" />
+        <field name="domain_force">[(1, '=', 1)]</field>
+        <field name="groups" eval="[(4, ref('base.group_system'))]" />
+    </record>
+</odoo>
diff --git a/auth_session_logout_api/static/description/icon.png b/auth_session_logout_api/static/description/icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..3a0328b516c4980e8e44cdb63fd945757ddd132d
GIT binary patch
literal 9455
zcmW++2RxMjAAjx~&dlBk9S+%}OXg)AGE&Cb*&}<C%<R2Kc9faym6aW`f0Dh5$js*d
z_}}Z!;XIG;_cPz`_vag-p{7Ve$Uq1H00~A(?iu(VaQlMefnU3&OozZXm@69d91cGG
z;O61r&je0NdamH#&)mKsXk?Zb_)B^>d0jUxM@u(PQx^-s)6<jB#=*|j%+$$(&(Xyy
zYgd8+09XKwoa}S2?48%%ZU#L~n^g{fE40h%YEx5by;GuJ(K|vI1uO;0m}=J7R4@Bs
z>97TX<v{QF=s?r`z`m$a0ZvrhBU7}{15RN9M`j!kv_Mp+3~{||YNuFzHNvhMYm3=Q
zo!q+OJ5(%-oNM^I^M%*luKMiVL`lo`bcKGymX7i3MIFWj1i|9+CGNvn`cu-RsK0Qh
zoYlwB>`ehR4?GS^qbkof1cslKgk<Uw6DeIxZyT_?=OwX|lwC*A?ac*gHF7jmS080$
z>U)h65qZ9Oc=ml_0temigYLJfnz{IDzUf>bGs4N!v3=Z3jMq&A#7%rM5eQ#dc?k~!
zVpnB`o+K7|Al`Q_U<UrcmRnh6jExs}l(hZs0%T~Dnpu-NENdhioRv(T{Qmv>;eD$B
zfJtP*jH`siUq~{KE)`jP2|#TUEFGRryE2`i0**z#*^6~AI|YzIWy$Cu#CSLW3q=GA
z6`?GZymC;dCPk~rBS%eCb`5OLr;RUZ;D`}um=H)BfVIq%7VhiMr)_#G0N#zrNH|__
zc+blN2UAB0=617@>_<D4$IPL<k1zq(*VmlDPer&h1n6`AG;9A!_W=N$JthhQWXZ<i
zGURc6f<i*joK3xSWaOOXxAc8ES>u;MPHN;P;N#YoE=)R#i$k_`UAA>WWCcEVMh~L_
zj--gtp&|K1#58Yz*AHCTMziU1Jzt_jG0I@qAOHsk$2}yTmVkBp_eHuY$A9)>P6o~I
z%aQ?!(GqeQ-Y+b0I(m9pwgi(IIZZzsbMv+9w{PFtd_<_(LA~0H(xz<Z(Qt1jC2cC|
z6WbMo9YgON{L#ZDl$sV4*<CP(>{=FhLB@(1&qHA5EJw1>>=%q2f&^X>IQ{!GJ4e9U
z&KlB)z(84HmNgm2hg2C0>WM{E(DdPr+EeU_N@57;PC2&DmGFW_9kP&%?X4}+xWi)(
z;)z%wI5>D4a*5XwD)P--sPkoY(a~WBw;E~AW`Yue4kFa^LM3X`8x|}ZUeMnqr}>kH
zG%WWW>3ml$Yez?i%)2pbKPI7?5o?hydokgQyZsNEr{a|mLdt;X2TX(#B1j35xPnPW
z*bMSSOauW>o;*=kO8ojw91VX!qoOQb)zHJ!odWB}d+*K?#sY_jqPdg{Sm2HdYzdEx
zOGVPhVRTGPtv0o}RfVP;Nd(|CB)<HrC1(%ZOEd8PI?r9b_$Cp-${bh59Z_R7n&YCp
zl8lfMpes*8{FVm;oJH@0LLoWmxD59u?JwHz2iRrAaE0`Hc&g;t5~$P*kdeOZn9OJ3
zRczo@ZkWU)RG+hcfH~{49Vvb3D(W0wRX#|$cA0Iqy^VR~(4hqA2AFI-rK!FM!#fJ_
zGFI@iqJOPXZ!=VjTS3dMuu~9xU3K1&?th;$)cqM#WGxbDEyB$y`#9j%>I;*t&QO8h
zFfekr30S!-LHmV_Su-W+rEwYXJ^;6&3|L$mMC8*bQptyOo9;>Qb9Q9`ySe3%V$A*9
zeKEe+b0{#KWGp$F+tga)0RtI)nhMa-K@JS}2krK~n8vJ=Ngm?R!9G<~RyuU0d?nz#
z-5EK$o(!F?hmX*2Yt6+coY`6jGbb7t<dboft~zeDZwK=+l2bFWs5^+|r{J6GO9Cwl
z&SW58BRs?XdFLuhtzl7WLbQ#~z#`jAB3AbSUg6jW6@qVd2Q~9qN(izT1y*>F#6nHA
zuKk=GGJ;ZwON1iAfG$E#Y7MnZVmrY|j0eVI(DN_MNFJmyZ|;w4tf@=CCDZ#5N_0K=
z$;R~bbk?}TpfDjfB&aiQ$VA}s?P}xPERJG{kxk5~R`iRS(SK5d+Xs9swCozZISbnS
zk!)I0>t=A<-^z(cmSFz3=jZ23u13X><0b)P)^1T_))Kr`e!-pb#q&J*Q`p+B6la%C
zuVl&0duN<;uOsB3%T9Fp8t{ED108<?)`y_~Hnd9AUX7h-H?jVuU|}My+C=TjH(jKz
zqMVr0re3S$H@t{zI95qa)+Crz*5Zj}Ao%4Z><+W(nOZd?gDnfNBC3>M8WE61$So|P
zVvqH0SNtDTcs<xiU1;=a39$d&&l5EwoIH1db#`S9Kw!YC1jhR)VbCWMptlUUkpfif
zMzi-i8)WL?|C$*Q?iqbS{w<lA9XN(rD)VS<zn>UdzaMDpT=Ty0pDHHNL@Z0w$Y`XO
z2M-_r1S+GaH%pz#Uy0*w$Vdl=X=rQXEzO}d6J^R6zjM1u&c9vYLvLp?W7w(?np9x1
zE_0JSAJCPB%i7p*Wvg)pn5T`8k3-uR?*NT|J`eS#_#54p>!p(mLDvmc-3o0mX*mp_
zN*AeS<>#^-{S%W<*mz^!X$w_2dHWpcJ6^j64qFBft-o}o_Vx80o0>}Du;>kLts;$8
zC`7q$QI(dKYG`Wa8#wl@V4jVWBRGQ@1dr-hstpQL)Tl+aqVpGpbSfN>5i&QMXfiZ>
zaA?T1VGe?rpQ@;+pkrVdd{klI&jVS@I5_iz!=UMpTsa~mBga?1r}a<Xwa$pLotZk<
zsykXwQO37I=aXew7x=}YWiW)^p)|C#g+)an!@j?EcY8C0t)BlK#y{YLtkJ6=D6H-5
zp2*ANf@>RBm1WS;TT*s0f0lY=JBl66Upy)-k4J}lh=P^8(SXk~0xW=T9v*B|gzIhN
z>qsO7dFd~mgxAy4V?&)=5ieYq?zi?ZEoj)&2o)RLy=<bK!vY7J*RP!&i_xU}i*o6o
z?xN*1<rEe1L2HBkCSgiYM3a|4w?Bo7CJL7?Eh;9An1m$1t?h1v92<Xg2(#)bjbL|o
zH_H0}!Og=1dOBynXHu>@hbCRcfT5ji<pmK_U*~T(A$I-*rM$8-BCv{=@=7F)2pdtU
z5==tp!}A*&Xgf{F>gwtQGE{L*8<@Yd{zg;CsL5mvzfDY}P-wos_6PfprFVaeqNE%h
zKZhLtcQld;ZD+>=nqN~>GvROfueSzJD&<KAVm#0W>BE*}XfU|H&(FssBqY=hPCt`d
zH?@s2>I(|;fcW&YM6#V<T#ysvE$@4oRO>#!kUIP8$Nkdh0A(bEVj``-AAyYgwY~jB
zT|I7Bf@%;7aL7Wf4dZ%VqF$eiaC38OV6oy3Z#TER2G+fOCd9Iaoy6aLYbPTN{XRPz
z;U!V|vBf%H!}52L2gH_+j;`bTcQRXB+y9onc^wLm5wi3-Be}U>k_u>2Eg$=k!(l@I
zcCg+flakT2Nej3i0yn+g+}%NYb?ta;R<sv-KjYb}UVFjITQ)VAEWu*)Lz7*-f^A*H
z<25#Ynt~-Qh?$wWx4$1=T2`j@bKp!)3IXh(LC@)%WGW$+j(tGz(6#bGw&K0j=Np@B
zt}@t$R`z(>?(g5SnwsQ49U8Wng8d|{B+lyRcEDvR3+`O{zfmrmvFrL6acVP%yG98X
zo&+VBg@px@i)%o?dG(`T;n*$S5*rnyiR#=wW}}GsAcfyQpE|>a{=$Hjg=-*_K;UtD
z<sX7(ZJc+Q;#xP8uk`jnF@a^|TWw*55if6@@}%7lOBaGo9Ia-e?`RPQc^w^EWfhe}
zHWHTvDA+r}Xf5Yqpr;QU-88%QC9F_>#z-)AXwSRY?<M%E84!g*1GC?E>OPefw^iI+
z)AXz#PfEjlwTes|_{sB?4(O@fg0AJ^g8gP}ex9Ucf*@_^J(s_5jJV}c)s$`Myn|Kd
z$<h)Fm>6>}#q^n{4vN@+Os$m7KV+`}c%4)4pv@06af4-x5#wj!KKb%caK{A&Y#Rfs
z-po?Dcb1({W=6FKIUirH&(yg=*6aLCekcKwyfK^JN5{wcA3nhO(o}SK#!CINhI`-I
z1)6&n7O&ZmyFMuNwvEic#IiOAwNkR=u5it{B9n2sAJV5pNhar=j5`*N!Na;c7g!l$
z3aYBqUkqqTJ=Re-;)s!EOeij=7SQZ3Hq}ZRds%IM*PtM$wV<GYik+VfZene%bm(n6
z`r@rc^TVw7EN{|O7rORMlw)zt(Z#enc3joE#IIk!M)L8gk^go9E9AxiP9o#OqmvV>
z@;rlc*NRK7i3y5BETSKuumEN`Xu_8<BQ)z0!-JuC8x}?$qo8SEko}oUWNI(4h*VHO
zAi!Egy!f(o9aHs2dhSE6ki(be*&w&+WLOB<(b3T_Hide(NvVvLQV{BN|2?UJFaY*@
z9CXA5B_*8i5Bf6sn~d`R>GP1Ri=OK<SGIb#BCTo3qI#UBUg+dkR+2ilUwIg%XFV;l
z+>Q$@I^ko8>H6)4rjiG5{VBM>B|%`&&s^)jS|-_95&yc=GqjNo{zFkw%%HHhS~e=s
zD#sfS+-?*t|J!+ozP6KvtOl!R)@@-z24}`9{QaVLD^9VCSR2b`b!KC#o;Ki<+wXB6
zx3&O0LOWcg4&rv4QG0)4yb}7BFSEg~=IR5<g6yi=XozU}zReXL{rA%c`$IQAs<ObZ
zep*ITZ0C(~W*`?XH^l1t7&+qigAfY9tVJ5DH!~jY>#ZRj8kg}dS7_V&^%#Do==#`u
zpy6{ox?jWuR(;pg+f@mT>#HGWHAJRRDDDv~@(IDw&R>9643kK<aUZ^OhBu;1e6t#{
zxKehVgz`HT;A`FMivG<tq0OcrXwHUX_<$j<uk%m>#HN`!1vBJHnC+RM&yIh8{gG2q
zA%e*U3|N0XSRa~oX-3EAneep)@{h2vvd3Xvy$7og(sayr@95+e6~Xvi1tUqnIxoIH
zVWo*OwYElb#uyW{Imam6f2<eMTQj#)z8+N&ZY?tSPo%&2eVNU=4=?rlO<*9Twaxco
zEVE=Jh?_x>rGbjR!Y3`#gPqkv57dB6K^wRGxc9B(t|aYDGS=m$&S!NmCtrMMaUg(c
zc2qC=2Z`EEFMW-me5B)24AqF*bV5Dr-M5ig(l-WPS%CgaPzs6p_gnCIvTJ=Y<6!gT
zVt@AfYCzjjsMEGi=rDQHo0yc;HqoRNnNFeWZgcm?f;cp(6CNylj36DoL(?TS7eU#+
z7&mfr#y))+CJOXQKUMZ7QIdS9@#-}7y2K1{8)cCt0~-X0O!O?Qx#E4Og+;A2SjalQ
zs7r?qn0H044=sDN$SRG$arw~n=+T_DNdSrarmu)V6@|?1-ZB#hRn`uilTGPJ@fqEy
zGt(f0B+^JDP&f=r{#Y_wi#AVDf-y!RIXU^0jXsFpf>=Ji*TeqSY!H~AMbJdCGLhC)
zn7Rx+sXw6uYj;WRYrLd^5IZq@6JI1C^YkgnedZEYy<&4(z%Q$5yv#B<pkvWZft^C&
z;+zNo+VJNluxaDF!`gW+F0=MxsCQ~~#CYKa;ULfj5hTa8a6;d*(<eeQ7-ZQgz2et^
zf|7URfj;x*#HiF0wuBCOTEpbeD&kkENqolCm2#cQGHCeEC<&I3j+P6?sX?BPp4~46
zx-S~EJ>oo{AH8n$<d4loB?vL3RqXwK_COrQ6xRoWGOdFnWy(hhzrG8k;2k}8Zj&>a
zhb4Y3PWdr269&?V%uI$xMcUrMzl=;w<_nm*qr=c3Rl@i5wWB;e-`t7D&c-mcQl7x!
zZWB`UGcw=Y2=}~wzrfLx=uet<;m3~=8I~ZRuzvMQUQdr+yTV|ATf1Uuomr__nDf=X
zZ3WYJtHp_ri(}SQAPjv+Y+0=<GD??Na(2AG`s>fH4krOP@S&=zZ-t1jW1o@}z;xk8
z(Nz1co&El^HK^NrhVHa-_;&88vTU>_J33=%{if;BEY*J#1n59=07jrGQ#IP>@u#3A
z;!q+E1Rj3ZJ+!4bq9F8PXJ@yMgZL;>&gYA0%_Kbi8?S=XGM~dnQZQ!yBSgcZhY96H
zrWnU;k)qy`rX&&xlDyA%(a1Hhi5CWkmg(`Gb%m(HKi-7Z!LKGRP_B8@`7&hdDy5n=
z`OIxqxiVfX@OX1p(mQu>0Ai*v_cTMiw4qRt3~N<X{IYiJ3k=4u-u*nJEBnJ<OdI8P
zXmK`OYkO5a{YDhI3PL|H4m=p>Bvr9oBy0)r>w3p~V0SCm=An6@3n)>@z!|o-$HvDK
z|3D2ZMJkLE5loMKl6R^ez@Zz%S$&mbeoqH5`Bb){Ei21q&VP)hWS2tjShfFtGE+$z
zzCR$P#uktu+#!w)cX!<osOkId_HzAT-HD2N`M+v2l+zwdW%GgZbQMuhfE*hHjKXKg
z45hphqVETPDbX6wpTlZqza0gFaRGh`3L~0id)F6#%@9;w(e%PjzuD7@inuToA!B?F
zCMLJc!u{3N)s?lB-!11!GxXsCak8zQomO)gmn02f-5~OkMYnm~#jVwwYNw@LAv!KN
z-n`q1|AXw*TW>lWN1XU%K-r=s{|j?)Akf@q#3b#{6cZCuJ~gCxuMXRmI$nGtnH+-h
z+GEi!*X=AP<|fG`1>MBdTb?28JYc=fGvAi2I<$B(rs$;eoJCyR6_bc~p!XR@O-+sD
z=eH`-ye})I5ic1eL~TDmtfJ|8`0VJ*Yr=hNCd)G1p2MMz4C3^Mj?7;!w|Ly%JqmuW
zlIEW^Ft%z?*|fpXda>Jr^1noFZEwFgVV%|*XhH@acv8rdGxeEX{M$(vG{Zw+x(ei@
zmfXb22}8-?Fi`vo-YVrTH*C?a8%M=Hv9MqVH7H^J$KsD?>!SFZ;ZsvnHr_gn=7acz
z#W?0eCdVhVMWN12VV^$>WlQ?f;P^{(&pYTops|btm6aj>_Uz+hqpGwB)vWp0Cf5y<
zft8-je~nn?W11plq}N)4A{l8I7$!ks_x$PXW-2XaRFswX_BnF{R#6YIwMhAgd5F9X
zGmwdadS6(a^fjHtXg8=l?Rc0Sm%hk6E9!5cLVloEy4eh(=FwgP`)~I^5~pBEWo+F6
zSf2ncyMurJN91#cJTy_u8Y}@%!bq1RkGC~-bV@SXRd4F{R-*V<h953|jk-C&|3)z%
ze&_30-6q1)a0(!xXqA+_t(WC`HA_yYaW@>`bS+6;W5vZ(&+I<9$;-V|eNfLa5n-6%
z2(}&uGRF;p9<Q%jdNy1%e7XTzyu7EEQT(5LrnvX~T%K!IuDyHY`ZneVJu#k_1T)xA
z*yxB?y4!pOJ$DTZzBm|8OIQq+AtV25aJ+X5EJjAu><tfuiNClI2BSoMgqLnU-5t95
zEnZ(^g~1RgD=UMB({c;$HujG&%DqGF;5jI~roRT+(rOoS$6f6SsURIuAVkAeIVc~{
z5ZxLN%m%Z*Sg;qYCf3<$dE6~&w_!EBx%yl4YC~LH{FCFNRBc_I>2eS*sE*o<YSPrx
z{M(reV{~jKue#Y6ZOnqJia{fQc!UxV4m)l389OmzR6A3|2!i<P{r82jKw+zq4%@ny
znopi6g!1Vx9Bml#a~KdL2lp2C)qSTKIh43vgycQHfQb_I!kQY&p;X@Bz|{^SXsW1K
zP&Ag1CW_r6u5-4=s(W>R$@pexaqr*meB)VhmIg@h{uzkk$9~qh#cHhw#>O%)b@+(|
z^IQgqzuj~Sk(J;swEM-3TrJAPCq9k^^^`q{IItKBRXYe}e0Tdr=Huf7da3$l4<V=<
zfr<*%iOB1EY}w3tF2Cwl7a2OS&~Y-lu<s)T^9=OFU8(CeN|63BiMxf*)5gesGU<eZ
z9DigzL3+quZ1o2T<KAZbCGJx&lrl*e#}Dpv24bZO$B<Yoc5hbeP0y?@P%|Tvw||e%
zV#e^q0D2R_Oq_c+=x5vP&hg4k+df{o7$aNZCM>PdpwWDop%^}n;dD#K4s#DYA8SHZ
z&1!riV4W4R7R#C))JH1~axJ)RYnM$$lIR%6fIVA@zV{XVyx}C+a-Dt8Y9M)^KU0+H
zR4IUb2CJ{Hg>CuaXtD50jB(_Tcx=Z$^W<wsNa}nUDpNk$q{>Yu2u5kubqmwp%drJ6
z?Fo40g!Qd<-l=TQxqHEOuPX0;^z7iX?Ke^a%XT<13TA^5`4Xcw6D@Ur&VT&CUe0d}
z1GjOVF1^L@>O)l@?bD~$wzgf(nxX1OGD8fEV?TdJcZc2KoUe|oP1#=$$7ee|xbY)A
zDZq+cuTpc(fFdj^=!;{k03C69lMQ(|>uhRfRu%+!k&<F<Z7l=VnwB^RA&^APMi=Tn
zNc}%IJL~xB4OP6bJNwAw)~Ma2=UP0dhr%X=kco(it+@F<#$xrIJ8@|{Buh<)h`xg?
z_U}pe=3#zmDfdqE4`Hyn<!?&CfCp#GTeXo8;AYd1Opd&cXER8cBSOF3iFJ#XPgQVp
zZSiQf7V^Dt?ITs8aMF~e1hq0P@^oB)#byh|6q_7F1B%ST%WL~J?ySn>YOi-3|1QKB
z<?_cUy)V3go%%^l)lRa=dmY_XQG3Z{Q?52d$qG}vIe|EZbYEtrR$rh(iS)O#dU-(>
z?n?eq1XP>p-IM$Z^C;2L3itnbJZAip*Zo0aw2bs8@(s^~*8T9go!%dHcAz2lM;`yp
zD=7&xjFV$S&5uDaiScyD?B-i1ze`+CoRtz`Wn+Zl&#<i<Zx(`=7k~{%`w&<EbG}U<
z0%E^8lyw>s4&}MO{@N!ufrzjG$B79)Y2d3tBk&)TxUTw@<TSeYlROCt(gU?O((-qu
zs>QS0TEL_?njX|<LXnSC4TlId(D4W|GQ?L@$3Ue@N8p=l9-sC<=z(lPk;^sT(v2*k
zc~vp#Hp`mXjzhml2NMCh^h5)sqsan+jJ_l<a4w|G&ac02hrz8#6|kFraA~rta0}!q
zB4BE{QWY7MtxHn_xB);Avf#Lf<GG<A?Q3JVyc1p8^H}$8(Gn=_&F1!m8$sKyeue+L
z5&392wm+wO;_oXoTEJ=wxVXk}dt<d~CgUUMW_PPTe(c<7n18#mVaX)vK}-PzZq7<b
zNJbVTFaq(8ZLx|A*G$H3ugT2aVziDEGa66FVt@hr1|D{RWN6yuqlglM!rp^YG;UpG
zrnm?ek079l3VoOU^p%f^A9Yzn8IVX?^rB4LbgJ|PONhzM_0{P?S(V$OI=u5IBjfT#
z0ntLLnhg5$0fAHJaG6HCx4X7;RmvMtE}8C>@vq?Uz(nBFK5Pq7*xj#u*R&i|?7+6#
z+|r_n#SW&LXhtheZdah{ZVoqwyT{D>MC3nkFF#N)xLi{p7J1jXlmVeb;cP5?e(=f#
zuT7fv<Q3o5LspCx-RPkzLw{VsDE>jSbjS781v?7{)-X3*?>tq?)Yd)~|1{BDS(pqC
zC}~H#WXlkUW*H5CDOo<)#x7%RY)A;ShGhI5s*#cRDA8YgqG(HeKDx+#(ZQ?386dv!
zlXCO)w91~Vw4AmOcATuV653fa9R$fyK8<JV*@W33SMHM;w!OmUXar{O;_8j>ul%rG
z-<zwGD)!Y{+(T{%ob~79zpXX%zulyiy1_UHWvu@YqxKAK3e9GO6Os4R0Naujn>wfS
zihugoZyr38Im?Zuh6@RcF~t1anQu7>#lPpb#}4cOA!EM11`%f*07RqOVkmX{p~KJ9
z^zP;K#|)$`^Rb{rnH<AdQ^(;gQMcF>GH{~>1(fawV0*Z#)}M`m8-?ZJV<+e}s9wE#
z)l&az?w^5{)`S(%MRzxdNqrs1n*-=jS^_jqE*5XDrA0+VE`5^*p3CuM<&dZEeCjoz
zR;uu_H9ZPZV|fQq`Cyw4nscrVwi!fE6ciMmX$!_hN7uF;jjKG)d2@aC4ropY)8<!P
zAOHj?oPbjQ%hh|vE_1IMB)43eQpeLi&)R>etW=xJvni)8eHi`H$%#zn^WJ<U7gogJ
z?A^!2J~rI78JH|Ml2EldmKY5K8;Zx(FGcBdM<5oe#G+nd6dObqz@Af%%M*aBE_pn8
zXQo2`Bw*IwvP3#1Ev<%YocpBodO9+Rw~`5*CY3{L;qf1PxV!r%NI+#Q1f8GU7$~#U
zAA9$4&g-k=8BYi*3i@0^UX}nTQVyOf)8T(}G^Ti?Vqvk~bJRR#EAQ?u`dClPxk@{;
zxvO?%jSX`2{8|^z0*C5DR1Z^>5NLc-rqk|u&&4Z6fD_m&JfSI1Bvb?b<*n&sfl0^t
z=HnmRl`XrFvMKB%9}>PaA`m-fK6a0(8=qPkWS5bb4=v?XcWi&hRY?O5HdulRi4?fN
zlsJ*N-0Qw+Yic@s0(2uy%F@ib;GjXt01F<S%GT3P{Ck&Y*^gWuie`o_g+ZNDNIV|F
z)zEe|Ij*4$H1(<RLz0($;AD3VsUJwI@liw^?fh(V?VC`Sz7h`*Q<VYlhbHJ?&h+!W
zAJC)U;Lx_QRaSNFYbyi|7+MeNTgA+Znh}qFzf>mx5XbRo6+n|pP(&nodMoap^z{~q
ziEeaUT@Mxe3vJSfI6?uLND(CNr=#^W<1b}jzW58bIfyWTDle$mmS(|x-0|2UlX+9k
zQ<WB5+u#`K#~J$81)#?BuTOKLk|+S>^EX7Nw}?EzVoBfT(-LT|=9N@^hcn-_p&sqG
z&*oVs2JSU+N4ZD`FhCAWaS;>|wH2G*Id|?pa#@>tyxX`+4HyIArWDvVrX)2WAOQff
z0qyHu&-S@i^MS-+j--!pr4fPBj~_8({~e1bfcl0wI1kaoN>mJL6KUPQm5N7lB(ui1
zE-o%kq)&djzWJ}ob<-GfDlkB;F31j-VHKvQUGQ3sp`CwyGJk_i!y^sD0fqC@$9|jO
zOqN!r!8-p==F@ZVP=U$qSpY(gQ0)59P1&t@y?5rvg<}E+GB}2<F#{*|k0E{$&_`~)
zkzDcsi#!7r<a8lPUCMj?{CK;e|9#-xj>6NYPp4f2YFQrQtot5mn3wu_qprZ=>Ig-$
zbW26Ws~IgY>}^5w`vTB(G`PTZaDiGBo5o(tp)qli|NeV(<Rzgqw(Ze!7hEGKKx((>
z@H_=R8V39rt5J5YB2Ky?4eJJ#b`_iBe2ot~6%7mLt5t8Vwi^Jy7|jWXqa3amOIoRb
zOr}WVFP--DsS`1WpN%~)t3R!arKF^Q$e12KEqU36AWwnCBICpH4XCsfnyrHr>$I$4
z!DpKX$OKLWarN7nv@!uIA+~RNO)l$$w}p(;b>mx8pwYvu;dD_unryX_N<mojSrG!`
zgkqx4t<XLL6ZUppvjeV9PJ6dG>hT8*Tj>BTrTTL&!?O+%Rv;b?B??gSzdp?6Uug9{
zd@V08Z$BdI?fpoCS$)t4mg4rT8Q_I}h`0d-vYZ^|dOB*Q^S|xqTV*<bTMtKO;_Z)R
zRSOJrd5TFO0aO%#%-sNa{`SiQ^$$1^@oUd&^lB{MKZ>vIg?@fVFSmMpaw0qtTRbx}
z({Pg?#{2`sc9)M5N$*N|4;^t$+Q<Wh^yJ?FzJ*$wiB{j;CMy+?m1MbsJo0ubR==f9
z>P?#mo<zt1E6=Ilm*nbmYmpxfAj7*m*Wh@=7|;!%(-pviW`nuCktLveet9^$*y^>v
zGVC@I*lBVrOU-%2y!7%)fAKjpEFsgQc4{amtiHb95KQEwvf<(3T<9-Zm$xIew#P22
zc2Ix|App^>v6(3L_MCU0d3W##AB<Fxl*nmny6_RsCu%1a)so}}uCXSzwY70Y@uTxK
z=5nu(N*2HDbrIcL)t_*{*84mvmV_Y9<vxHJJ;0gUdNjyW)jDb|@|j*qR8;gsMa5Ir
z02fHv=%xyN9VLv_ZLL4y|F*p$S^^T47m{aok5{rmM{$s7^Xu2!_fo1$IG6kkG_Tgx
zFfjPm3;g>0M~3D00EWoKZqsJYT(#@w$Y_H7G22M~ApVFTRHMI_3be)Lkn#0F*V8Pq
zc}`Cjy$bE;FJ6H7p=0y#R>`}-m4(0F>%@P|?7fx{=R^uFdISRnZ2W_xQhD{YuR3t<
z{6yxu=4~JkeA;|(J6_nv#>Nvs&FuLA&PW^he@t(UwFFE8)|a!R{`E`K`i^ZnyE4$k
z;(749Ix|oi$c3QbEJ3b~D_kQsPz~fIUKym($a_7dJ?o+40*OLl^{=&oq$<#Q(yyrp
z{J-FAniyAw9tPbe&IhQ|a`DqFTVQGQ&Gq3!C2==4x{6EJwiPZ8zub-iXoUtkJiG{}
zPaR&}_fn8_z~(=;5lD-aPWD3z8PZS@AaUiomF!G8I}Mf>e~0g#BelA-5#`cj;O5>N
Xviia!U7SGha1wx#SCgwmn*{w2TRX*I

literal 0
HcmV?d00001

diff --git a/auth_session_logout_api/static/description/index.html b/auth_session_logout_api/static/description/index.html
new file mode 100644
index 0000000000..205b499275
--- /dev/null
+++ b/auth_session_logout_api/static/description/index.html
@@ -0,0 +1,92 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Force User Session Logout</title>
+    <style>
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+            line-height: 1.6;
+            color: #333;
+            max-width: 800px;
+            margin: 0 auto;
+            padding: 20px;
+        }
+        h1, h2, h3 { color: #875A7B; }
+        code {
+            background: #f4f4f4;
+            padding: 2px 6px;
+            border-radius: 3px;
+            font-family: monospace;
+        }
+        pre {
+            background: #f4f4f4;
+            padding: 15px;
+            border-radius: 5px;
+            overflow-x: auto;
+        }
+        .badge {
+            display: inline-block;
+            padding: 3px 8px;
+            border-radius: 3px;
+            font-size: 12px;
+            margin-right: 5px;
+        }
+        .badge-beta { background: #ffc107; color: #333; }
+        .badge-license { background: #007bff; color: #fff; }
+        ul { padding-left: 20px; }
+        li { margin-bottom: 8px; }
+    </style>
+</head>
+<body>
+    <h1>Force User Session Logout</h1>
+
+    <p>
+        <span class="badge badge-beta">Beta</span>
+        <span class="badge badge-license">AGPL-3</span>
+    </p>
+
+    <p>This module provides a secure API endpoint to force logout user sessions remotely.</p>
+
+    <h2>Features</h2>
+    <ul>
+        <li>Token-based authentication for API security</li>
+        <li>Lookup users by login or email (case insensitive)</li>
+        <li>Comprehensive audit logging</li>
+        <li>Session invalidation via Odoo's session token mechanism</li>
+    </ul>
+
+    <h2>API Usage</h2>
+    <pre><code>GET /web/session/force_logout?token=TOKEN&amp;user=LOGIN_OR_EMAIL</code></pre>
+
+    <h3>Example</h3>
+    <pre><code>curl "https://your-odoo.com/web/session/force_logout?token=abc123&amp;user=demo"</code></pre>
+
+    <h3>Response Codes</h3>
+    <ul>
+        <li><strong>200</strong> - User successfully logged out</li>
+        <li><strong>401</strong> - Invalid or missing token</li>
+        <li><strong>404</strong> - User not found</li>
+        <li><strong>500</strong> - Server error</li>
+    </ul>
+
+    <h2>Configuration</h2>
+    <ol>
+        <li>Go to <strong>Settings</strong> → <strong>General Settings</strong></li>
+        <li>Find the <strong>Force Session Logout</strong> section</li>
+        <li>Click <strong>Generate Token</strong> to create a new secure token</li>
+    </ol>
+
+    <h2>Credits</h2>
+    <h3>Contributors</h3>
+    <ul>
+        <li><a href="https://trobz.com">Trobz</a></li>
+    </ul>
+
+    <h3>Maintainer</h3>
+    <p>
+        This module is maintained by the
+        <a href="https://odoo-community.org">Odoo Community Association (OCA)</a>.
+    </p>
+</body>
+</html>
diff --git a/auth_session_logout_api/tests/__init__.py b/auth_session_logout_api/tests/__init__.py
new file mode 100644
index 0000000000..7087f936bb
--- /dev/null
+++ b/auth_session_logout_api/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_force_logout
diff --git a/auth_session_logout_api/tests/test_force_logout.py b/auth_session_logout_api/tests/test_force_logout.py
new file mode 100644
index 0000000000..fa4e152662
--- /dev/null
+++ b/auth_session_logout_api/tests/test_force_logout.py
@@ -0,0 +1,140 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import secrets
+
+from odoo.tests import tagged
+from odoo.tests.common import TransactionCase
+
+
+@tagged("post_install", "-at_install")
+class TestForceLogout(TransactionCase):
+    """Tests for force logout functionality"""
+
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.test_token = "test_token_12345"
+        cls.env["ir.config_parameter"].sudo().set_param(
+            "auth_session_logout_api.token", cls.test_token
+        )
+        # Create test user
+        cls.test_user = cls.env["res.users"].create(
+            {
+                "name": "Test User",
+                "login": "testuser",
+                "email": "test@example.com",
+            }
+        )
+
+    def test_token_validation_valid(self):
+        """Test token validation with valid token"""
+        result = secrets.compare_digest(self.test_token, self.test_token)
+        self.assertTrue(result)
+
+    def test_token_validation_invalid(self):
+        """Test token validation with invalid token"""
+        result = secrets.compare_digest("invalid_token", self.test_token)
+        self.assertFalse(result)
+
+    def test_find_user_by_login(self):
+        """Test finding user by login"""
+        user = (
+            self.env["res.users"]
+            .sudo()
+            .search([("login", "=ilike", "testuser")], limit=1)
+        )
+        self.assertEqual(user, self.test_user)
+
+    def test_find_user_by_email(self):
+        """Test finding user by email"""
+        user = (
+            self.env["res.users"]
+            .sudo()
+            .search([("email", "=ilike", "test@example.com")], limit=1)
+        )
+        self.assertEqual(user, self.test_user)
+
+    def test_find_user_case_insensitive(self):
+        """Test that user lookup is case insensitive"""
+        user = (
+            self.env["res.users"]
+            .sudo()
+            .search([("login", "=ilike", "TESTUSER")], limit=1)
+        )
+        self.assertEqual(user, self.test_user)
+
+    def test_find_user_not_found(self):
+        """Test finding non-existent user"""
+        user = (
+            self.env["res.users"]
+            .sudo()
+            .search([("login", "=ilike", "nonexistent")], limit=1)
+        )
+        self.assertFalse(user)
+
+    def test_session_token_fields_extended(self):
+        """Test that session_logout_key is included in session token fields"""
+        fields = self.env["res.users"]._get_session_token_fields()
+        self.assertIn("session_logout_key", fields)
+
+    def test_force_logout_changes_session_key(self):
+        """Test that force logout updates session_logout_key"""
+        old_key = self.test_user.session_logout_key
+        self.test_user.action_force_logout()
+        self.test_user.invalidate_recordset()
+        self.assertNotEqual(self.test_user.session_logout_key, old_key)
+
+    def test_force_logout_count_increment(self):
+        """Test that force logout count is incremented"""
+        initial_count = self.test_user.force_logout_count
+        self.test_user.action_force_logout()
+        self.test_user.invalidate_recordset()
+        self.assertEqual(self.test_user.force_logout_count, initial_count + 1)
+
+    def test_audit_log_creation(self):
+        """Test that audit logs can be created"""
+        audit_log = (
+            self.env["auth.session.logout.audit"]
+            .sudo()
+            .create(
+                {
+                    "target_user_id": self.test_user.id,
+                    "request_ip": "127.0.0.1",
+                    "user_agent": "Test Agent",
+                    "status": "success",
+                }
+            )
+        )
+        self.assertTrue(audit_log.exists())
+        self.assertEqual(audit_log.target_user_login, "testuser")
+        self.assertEqual(audit_log.status, "success")
+
+    def test_audit_log_error_status(self):
+        """Test audit log with error status"""
+        audit_log = (
+            self.env["auth.session.logout.audit"]
+            .sudo()
+            .create(
+                {
+                    "target_user_id": self.test_user.id,
+                    "request_ip": "127.0.0.1",
+                    "status": "error",
+                    "error_message": "Test error message",
+                }
+            )
+        )
+        self.assertEqual(audit_log.status, "error")
+        self.assertEqual(audit_log.error_message, "Test error message")
+
+    def test_generate_token(self):
+        """Test token generation"""
+        settings = self.env["res.config.settings"].create({})
+        settings.action_generate_token()
+        new_token = (
+            self.env["ir.config_parameter"]
+            .sudo()
+            .get_param("auth_session_logout_api.token")
+        )
+        self.assertTrue(new_token)
+        self.assertNotEqual(new_token, self.test_token)
diff --git a/auth_session_logout_api/views/auth_session_logout_audit_views.xml b/auth_session_logout_api/views/auth_session_logout_audit_views.xml
new file mode 100644
index 0000000000..6708364c17
--- /dev/null
+++ b/auth_session_logout_api/views/auth_session_logout_audit_views.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- # Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+<odoo>
+    <!-- Audit Log Views -->
+        <record id="auth_session_logout_audit_view_tree" model="ir.ui.view">
+            <field name="name">auth.session.logout.audit.tree</field>
+            <field name="model">auth.session.logout.audit</field>
+            <field name="arch" type="xml">
+                <tree create="0" edit="0" delete="0">
+                    <field name="create_date" string="Date" />
+                    <field name="target_user_id" />
+                    <field name="target_user_login" />
+                    <field name="request_ip" />
+                    <field
+                    name="status"
+                    decoration-success="status == 'success'"
+                    decoration-danger="status in ('unauthorized', 'error')"
+                    decoration-warning="status == 'user_not_found'"
+                    widget="badge"
+                />
+                    <field name="error_message" optional="hide" />
+                </tree>
+            </field>
+        </record>
+
+        <record id="auth_session_logout_audit_view_form" model="ir.ui.view">
+            <field name="name">auth.session.logout.audit.form</field>
+            <field name="model">auth.session.logout.audit</field>
+            <field name="arch" type="xml">
+                <form string="Force Logout Audit" create="0" edit="0" delete="0">
+                    <sheet>
+                        <group>
+                            <group>
+                                <field
+                                name="create_date"
+                                string="Date"
+                                readonly="True"
+                            />
+                                <field name="target_user_id" readonly="True" />
+                                <field name="target_user_login" readonly="True" />
+                                <field name="status" readonly="True" />
+                            </group>
+                            <group>
+                                <field name="request_ip" readonly="True" />
+                                <field name="user_agent" readonly="True" />
+                            </group>
+                        </group>
+                        <group
+                        string="Error Details"
+                        attrs="{'invisible': [('error_message', '=', False)]}"
+                    >
+                            <field name="error_message" nolabel="1" readonly="1" />
+                        </group>
+                    </sheet>
+                </form>
+            </field>
+        </record>
+
+        <record id="auth_session_logout_audit_view_search" model="ir.ui.view">
+            <field name="name">auth.session.logout.audit.search</field>
+            <field name="model">auth.session.logout.audit</field>
+            <field name="arch" type="xml">
+                <search string="Search Audit Logs">
+                    <field name="target_user_id" />
+                    <field name="target_user_login" />
+                    <field name="request_ip" />
+                    <filter
+                    name="filter_success"
+                    string="Success"
+                    domain="[('status', '=', 'success')]"
+                />
+                    <filter
+                    name="filter_failed"
+                    string="Failed"
+                    domain="[('status', '!=', 'success')]"
+                />
+                    <separator />
+                    <filter
+                    name="filter_today"
+                    string="Today"
+                    domain="[('create_date', '&gt;=', context_today().strftime('%Y-%m-%d'))]"
+                />
+                    <group expand="0" string="Group By">
+                        <filter
+                        name="groupby_user"
+                        string="Target User"
+                        context="{'group_by': 'target_user_id'}"
+                    />
+                        <filter
+                        name="groupby_status"
+                        string="Status"
+                        context="{'group_by': 'status'}"
+                    />
+                        <filter
+                        name="groupby_date"
+                        string="Date"
+                        context="{'group_by': 'create_date:day'}"
+                    />
+                    </group>
+                </search>
+            </field>
+        </record>
+
+        <!-- Action -->
+        <record id="action_auth_session_logout_audit" model="ir.actions.act_window">
+            <field name="name">Force Logout Audit</field>
+            <field name="res_model">auth.session.logout.audit</field>
+            <field name="view_mode">tree,form</field>
+            <field name="context">{'search_default_filter_today': 1}</field>
+            <field name="help" type="html">
+                <p class="o_view_nocontent_smiling_face">
+                    No force logout audit logs yet
+                </p>
+                <p>
+                    Audit logs will be created when force logout operations are performed.
+                </p>
+            </field>
+        </record>
+
+        <!-- Menu -->
+        <menuitem
+        id="menu_auth_session_logout_audit"
+        name="Force Logout Audit"
+        parent="base.menu_security"
+        action="action_auth_session_logout_audit"
+        sequence="20"
+        groups="base.group_system"
+    />
+</odoo>
diff --git a/auth_session_logout_api/views/res_config_settings_views.xml b/auth_session_logout_api/views/res_config_settings_views.xml
new file mode 100644
index 0000000000..788b121acb
--- /dev/null
+++ b/auth_session_logout_api/views/res_config_settings_views.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- # Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+<odoo>
+    <!-- Setting-->
+    <record id="res_config_settings_view_form" model="ir.ui.view">
+        <field
+            name="name"
+        >res.config.settings.view.form.inherit.auth.session.logout</field>
+        <field name="model">res.config.settings</field>
+        <field name="inherit_id" ref="base_setup.res_config_settings_view_form" />
+        <field name="arch" type="xml">
+            <xpath expr="//div[@id='user_default_rights']" position="after">
+                <h2 groups="base.group_system">Force Session Logout</h2>
+                <div class="row mt16 o_settings_container" groups="base.group_system">
+                    <div class="col-12 col-lg-6 o_setting_box">
+                        <div class="o_setting_left_pane" />
+                        <div class="o_setting_right_pane">
+                            <label
+                                for="auth_session_logout_token"
+                                string="Force Logout API Token"
+                            />
+                            <div
+                                class="text-muted"
+                            >Secure token for force logout API requests</div>
+                            <div class="content-group mt16">
+                                <div class="row">
+                                    <label
+                                        for="auth_session_logout_token"
+                                        class="col-lg-5 o_light_label"
+                                    />
+                                    <field
+                                        name="auth_session_logout_token"
+                                        readonly="1"
+                                        class="col-lg-4"
+                                    />
+                                </div>
+                                <div class="mt8">
+                                    <button
+                                        name="action_generate_token"
+                                        type="object"
+                                        class="btn btn-primary"
+                                        attrs="{'invisible': [('auth_session_logout_token', '!=', False)]}"
+                                    >
+                                        <i class="fa fa-key" /> Generate Token
+                                    </button>
+                                    <button
+                                        name="action_generate_token"
+                                        type="object"
+                                        class="btn btn-secondary"
+                                        attrs="{'invisible': [('auth_session_logout_token', '=', False)]}"
+                                    >
+                                        <i class="fa fa-refresh" /> Regenerate Token
+                                    </button>
+                                </div>
+                            </div>
+                            <div class="alert alert-info mt16 mb-0" role="status">
+                                <strong>API:</strong>
+                                <code
+                                >POST /web/session/force_logout?user=LOGIN_OR_EMAIL</code>
+                                <br />
+                                <small class="text-muted">
+                                    Header: <code>X-Force-Logout-Token: TOKEN</code>
+                                    or <code>Authorization: Bearer TOKEN</code>
+                                </small>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </xpath>
+        </field>
+    </record>
+</odoo>
diff --git a/setup/auth_session_logout_api/odoo/addons/auth_session_logout_api b/setup/auth_session_logout_api/odoo/addons/auth_session_logout_api
new file mode 120000
index 0000000000..f43451a1d2
--- /dev/null
+++ b/setup/auth_session_logout_api/odoo/addons/auth_session_logout_api
@@ -0,0 +1 @@
+../../../../auth_session_logout_api
\ No newline at end of file
diff --git a/setup/auth_session_logout_api/setup.py b/setup/auth_session_logout_api/setup.py
new file mode 100644
index 0000000000..28c57bb640
--- /dev/null
+++ b/setup/auth_session_logout_api/setup.py
@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)