API Auth Issue: Function is not whitelisted

philippm · October 23, 2023, 3:50pm

Hi,

I cant get the frappe API auth working. I created a API key + secret with a user, who has all roles & permissions, but I still get the following error for every request:

{
    "exc_type": "PermissionError",
    "exception": "**frappe.exceptions.PermissionError: <details><summary>You are not permitted to access this resource.</summary>Function <strong>frappe.auth.get_logged_user</strong> is not whitelisted.**</details>",
    "exc": "[\"Traceback (most recent call last):\\n  File \\\"apps/frappe/frappe/app.py\\\", line 94, in application\\n    response = frappe.api.handle()\\n  File \\\"apps/frappe/frappe/api.py\\\", line 54, in handle\\n    return frappe.handler.handle()\\n  File \\\"apps/frappe/frappe/handler.py\\\", line 47, in handle\\n    data = execute_cmd(cmd)\\n  File \\\"apps/frappe/frappe/handler.py\\\", line 82, in execute_cmd\\n    is_whitelisted(method)\\n  File \\\"apps/frappe/frappe/__init__.py\\\", line 780, in is_whitelisted\\n    throw(msg, PermissionError, title=\\\"Method Not Allowed\\\")\\n  File \\\"apps/frappe/frappe/__init__.py\\\", line 533, in throw\\n    msgprint(\\n  File \\\"apps/frappe/frappe/__init__.py\\\", line 501, in msgprint\\n    _raise_exception()\\n  File \\\"apps/frappe/frappe/__init__.py\\\", line 450, in _raise_exception\\n    raise raise_exception(msg)\\nfrappe.exceptions.PermissionError: <details><summary>You are not permitted to access this resource.</summary>Function <strong>frappe.auth.get_logged_user</strong> is not whitelisted.</details>\\n\"]",
    "_server_messages": "[\"{\\\"message\\\": \\\"<details><summary>You are not permitted to access this resource.</summary>Function <strong>frappe.auth.get_logged_user</strong> is not whitelisted.</details>\\\", \\\"title\\\": \\\"Method Not Allowed\\\", \\\"indicator\\\": \\\"red\\\", \\\"raise_exception\\\": 1}\"]"
}

The method frappe.auth.get_logged_user is definitely whitelisted (it is the API example in the ERPNext docs). If I dont use any auth in the request I get the same error, so I think something is wrong with the tokens. The basic auth (setting usr and pwd in the body) doesnt seem to work either with my user.

I also dont have the role ‘All’ the user in this post is referencing.

Any input is greatly appreciated!

mohammed_shariq · October 28, 2023, 10:27am

did you find the solution?

philippm · October 30, 2023, 1:59pm

No, unfortunately not yet

avc · October 30, 2023, 2:20pm

Hi @philippm @mohammed_shariq:

As described in docs your token ({api_key:api_secrete}) needs to be Base64-encoded
(Token Based Authentication)

Hope this helps.

philippm · December 14, 2023, 10:38am

Hi avc, thank you for your input, but that did not resolve the issue.

I was able to fix it by setting the Authorization header manually in Postman. Maybe this is just a problem with Postman.

So instead of setting Authorization in the second tab, I added a header key-value pair like this:
Key: Authorization
Value: token <api_key>:<api_secret>

avc · December 14, 2023, 10:57am

Hi:
It’s working for me from Postman, Bruno or other API client without issues
Anyway, , glad to hear you solved