Just noticed that the odoo json-rpc calls can be made only by passing the dbname, uname and pwd. Well, this is clearly available on inspection if it's from an external web page which for example is based in angular. Isn't this a security risk considering that Odoo is an erp system? What are the solutions to this problem? I don't see any workaround on the odoo json-rpc side to this problem, so is there anything that can be done on the external web page which is based in angular or any other system for this?