Authenticate Employess by thier phone number

i have reqiuremnt to make employee self servies moplie app connected to erp next
we will authenticate Employess by thier phone number.
with out making system user for each employee.

whats your sugeestion:
make one user with secreat key and connect thorugh it from the mobile app.

Or what is the best solution that crosses security without create an account for each employee

many thanks

one way of doing this through custom app and code.

add 1 whitelisted function with allow_guest=True called get_otp(phone_number) this will store phone_number as key with random OTP as value in frappe cache with expiry that you set. Use sms gateway to send this otp to phone number. DO NOT return otp as http json response!

all other whitelisted functions that authenticate using this alternative OTP also need to be allow_guest=True they accept the phone_number and otp along with other parameters, verify phone:otp pair from cache, clear cache entry and further do anything that’s needed using frappe orm, ignore_permissions=True. You’ve valid number in request to identify employee. You can accept phone and otp as some request header instead of body param.


mank thanks @revant_one for your reply :smiling_face_with_three_hearts: It’s really useful

I will use external service to verify the phone and to send the otp in the mopile app after varifaction will get uid for each phone number.

after that i will send the phone number and uid to the erpnext to whitelisted function with allow_guest=True.

At this point can I create something like barrertoken for each phone number
and begin using stander erpnext apis with out resending the phone number and uid again

like this

url = “http://frappe.local:8000**/api/method/…”
headers = {
“Authorization”: “Bearer %s” % access_token

Many thanks in advance :white_heart:

1 Like

Hi @nextgen

I have similar requirement.
I want to verify users with Mobile number & OTP. I don’t want to use their email id, neither I want them to remember password to create/log-into an account. And for each subsequent http request, the app will send authorization-token in the header & ErpNext will authenticate it.

How did you achieve this?

While trying to achieve this by Token based authentication, I get an error

frappe.exceptions.AuthenticationError: Password not found

for mobile application i used flutter phone number authentication
after user submit the otp flutter will provide you with id token
and you can send this token to server with api request

in erpnext you will use flutter sdk to validaitae the token and from token you can get the phone number assigend and from number you can determine which employee belong

select name from tabemployee where phonenumber = ‘987521511555’

I did not complete the project, but this idea in general