Hello everyone,

We have an on premise odoo v15 server which has been runing for quite a while without specific issues.

 This server is protected by cloudflare. Sometimes we get a challenge from cloudflare to check if "i am a robot". This used to work fine.

However since 3 days, there is a lot of jsonrpc request that end up being challenged by cloudflare. For example web/dataset/search_read, which is quite essential is detected as potentially problematic by cloudflare, which issues a challenge:

web.assets_backend.min.js:603 POST xxx/web/dataset/search_read 403 (Forbidden) (anonymous) @ web.assets_backend.min.js:603
jsonrpc @ web.assets_backend.min.js:597

request.response contains the HTML of the cloudflare's challenge page.

However, since odoo tries to parse it as a json:

const {error: responseError, result: responseResult} = JSON.parse(request.response);

we end up with an odoo client error, because of course json.parse can not parce an HTML page:

Uncaught Javascript Error > Unexpected token '<', "<!DOCTYPE "... is not valid JSON

To be honest, i'm a bit lost about this. Why does cloudflare sends so much challenge? Why can't odoo handle those challenges for json route? Its not like cloudflare is an obscure ddos protection :/

Any idea on how we could fix this issue?

We can't remove the protection for those routes, as any attacker could abuse them?