[16.0][ADD] auth_execute_as

auth_execute_as/README.rst

@@ -0,0 +1,125 @@
+===============
+Auth Execute As
+===============
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:d397c0e122f92e416e9078b2e733e40e9dcbb37feb6205c7d7e60e175ca77972
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/16.0/auth_execute_as
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_execute_as
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module provides a secure API endpoint that allows external systems to
+execute Odoo methods as a specific user.
+
+The key feature is **User Impersonation** - executing actions under a specific
+user's identity so that all Odoo access controls (ACLs & Record Rules) are
+automatically applied.
+
+**Security Architecture**
+
+The module manages access through 3 layers:
+
+* **API Client**: Identifies the connecting application/service with a secret token
+* **API Whitelist**: Groups permissions by purpose (e.g., "Sales Agent Group")
+* **API Whitelist Line**: Defines allowed Model + Method combinations and field restrictions
+
+**Features**
+
+* Token-based authentication via ``X-API-Key`` header
+* IP address whitelist (supports CIDR notation)
+* Token expiration dates
+* User whitelist per client
+* Field-level access control
+* Request/response logging with execution time metrics
+* LLM-friendly response formatting (simplified Many2one fields, ISO dates)
+
+**API Endpoint**
+
+``POST /execute_as``
+
+Request body::
+
+    {
+        "login": "user@example.com",
+        "model": "sale.order",
+        "method": "search_read",
+        "args": [[["state", "=", "sale"]]],
+        "kwargs": {
+            "fields": ["name", "amount_total"],
+            "limit": 10
+        }
+    }
+
+**HTTP Status Codes**
+
+* 200 - Success
+* 401 - Invalid or missing API key, expired token
+* 403 - Method not whitelisted, IP not allowed, user not allowed
+* 404 - User or record not found
+* 422 - Validation error (Odoo UserError/ValidationError)
+* 500 - Internal server error
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_execute_as%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* Kencove
+
+Contributors
+~~~~~~~~~~~~
+
+* Thien Vo <thienvh@trobz.com>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_execute_as>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_execute_as/__init__.py

@@ -0,0 +1,5 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import controllers
+from . import models

auth_execute_as/__manifest__.py

@@ -0,0 +1,22 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Auth Execute As",
+    "summary": "Execute API calls as a specific user with whitelist-based access control",
+    "version": "16.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "Kencove, Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "category": "Tools",
+    "depends": ["base"],
+    "data": [
+        "security/ir.model.access.csv",
+        "views/auth_api_whitelist_views.xml",
+        "views/auth_api_whitelist_line_views.xml",
+        "views/auth_api_client_views.xml",
+        "views/auth_api_log_views.xml",
+        "data/ir_cron_data.xml",
+    ],
+    "installable": True,
+}

auth_execute_as/controllers/__init__.py

@@ -0,0 +1,4 @@
+# Copyright 2026 Kencove (https://www.kencove.com).
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import main