HI,
I see that Odoo has an API Endpoint (web/session/authenticate) that can be called even though the request have no sessionID to specify which DB is using.
Every other Endpoint will return 404 if Odoo have multiple active DB.
I create my own endpoint that copy exactly from web/session/authenticate, but it still return 404.
Does anybody know why and how to fix it.
Hello,
This behavior is expected in Odoo when running with multiple databases.
The /web/session/authenticate endpoint works without specifying a DB because it is explicitly designed as a public, pre-database selection route. Most other endpoints (including custom ones) require a database context, otherwise Odoo cannot determine which DB to route the request to, resulting in a 404.
Simply copying the controller logic is not enough, as Odoo internally treats such routes differently (e.g., using auth="none" and special dispatch handling).
Possible approaches:
Hope this works for you! If you need any help implementing this or want a more optimized approach, feel free to reach out for further discussion
Regards,
Zehntech Technologies Inc.
Hi. Thank you for your answers. I want to make my requirements clearer if it helps.
- I create a custom API Endpoint on Odoo. Ex: /api/custom/do-something
- If my Odoo is having multiple DB: call that API as an anonymous user will return 404.
I think your 3rd approach (Customize the request dispatching (advanced) to handle DB selection before your endpoint is called ) is what I looking for. But i have tried called /api/custom/do-something?db=mydb anonymously, it still returns 404.
Have you guys ever implemented something that can solve or workaround this problem?
Thanks
Zehntech comment worked for me.
You're spot on ?db=mydb gets rejected by Odoo's root dispatcher before your /api/custom/do-something even loads in multi-DB setups. Been there!
What works for me:
Server-wide module: server_wide_modules = web,base,your_module in odoo.conf. Restart and it matches /web/session/authenticate behavior.
Quick ir.http override:
python
from odoo import http
class IrHttp(http.Controller):
@classmethod
def _authenticate(cls, endpoint, ...):
db = request.httprequest.args.get('db')
if db: request.session.db = db
return super()._authenticate(...)
Then route: @http.route('/api/custom/<string:db>/do-something', auth='none')
Easy alternative: Just use XML-RPC /xmlrpc/2/db. It handles db params flawlessly.
Hope it helps
Cree una cuenta para poder utilizar funciones exclusivas e interactuar con la comunidad.
Inscribirse| Publicaciones relacionadas | Respuestas | Vistas | Actividad | |
|---|---|---|---|---|
|
1
nov 25
|
1521 | ||
|
1
ago 25
|
3843 | ||
|
2
ago 25
|
2243 | ||
|
3
jun 25
|
4637 | ||
|
Change resume view
Resuelto
|
|
4
jul 25
|
2748 |
1. Use the live chat to ask your questions.
2. The operator answers within a few minutes.
Hello,
You have multiple database in system? check odoo.conf for dbfilter parameter..
The thing is that the system is required to have multiple active DBs at the same time.
Can you elaborate more about this?
Hi,
Thanks for clarifying - this makes the problem much clearer.
You are right, the ?db=mydb parameter alone does not work for anonymous endpoints because Odoo's dispatcher rejects the request with a 404 before it even reads that parameter in a multi-DB setup. The DB selection needs to happen at the dispatcher level, earlier in the request lifecycle.
we have implemented this in a real project.
We built a custom Odoo module for a client who needed anonymous API access across a multi-DB Odoo instance - specifically for a mobile app integration where the calling system had no session context. The setup involved:
A custom ir.http override to intercept the DB name from a request header (X-Odoo-Database) before Odoo's dispatcher rejected the request
All custom endpoints decorated with auth='none' and routed outside the standard session-based flow
A lightweight token validation layer inside the endpoint itself (since there is no Odoo session, you handle your own auth logic)
It worked reliably in production on a 3-DB Odoo 16 instance.
Here is the approach that works for you:
Override _pre_dispatch in ir.http
In your custom module, extend ir.http and override the _pre_dispatch (or _get_default_session depending on your Odoo version) to read the database name from the request early - before routing resolves:
from odoo import models
from odoo.http import request, db_filter
class IrHttp(models.AbstractModel):
_inherit = 'ir.http'
@classmethod
def _pre_dispatch(cls, rule, args):
# Read ?db= param or X-Odoo-Database header early
db = (
request.httprequest.args.get('db')
or request.httprequest.headers.get('X-Odoo-Database')
)
if db and db in db_filter([db]):
request.session.db = db
return super()._pre_dispatch(rule, args)
--------------------------------------------------------------------------------------------------
Then your custom route should be decorated like this:
@http.route('/api/custom/do-something',
type='json',
auth='none', # critical
csrf=False,
save_session=False)
def do_something(self, **kwargs):
...
________________________________________________________________________________________________________
A few important notes:
- The auth='none' is mandatory - auth='public' will still try to resolve a user session which requires a DB context.
- Make sure your endpoint does not touch any ORM or recordset at the point of entry before the DB is set.
- If you are on Odoo 16+, the dispatcher was refactored - let us know your version and we can adjust the override accordingly.
This pattern has been implemented for similar anonymous API gateway scenarios and works reliably in multi-DB setups.
Hope this works for you! Feel free to reach out for further discussion.
Regards,
santosh.sekwadia@zehntech.com
Thanks a lot for the answer. I get the idea now. I'm using Odoo17 so the dispatcher behaves differently now.