Token Authentication Not Works in REST API (ERPNext)

ERPNext
1

ERPNext rest-api
Token Authentication Not Works in REST API (ERPNext)

I’m trying to build CRUD operations for ERPNext (cloud hosted) document handling using provided methods.
https://frappeframework.com/docs/user/en/api/rest

I tried Token based authentication method listed there,
got the key and secret from:

image
image1288×568 39.7 KB

All the roles are available for user

image
image981×895 72.9 KB

  1. Using Basic token:

> 'Authorization': 'token api_key:api_secret'

request:

const response = await firstValueFrom(
        this.httpService.post(
          `${host}/api/resource/${docType}?fields=["*"]`,
          data,
          {
            headers: {
              Authorization: `token ${key}:${secret}`,
              'Content-Type': 'application/json',
            },
          },
        ),
      );

response:

{
	"exception": "frappe.exceptions.PermissionError",
	"exc_type": "PermissionError",
	"exc": "[\"Traceback (most recent call last):\\n  File \\\"apps/frappe/frappe/app.py\\\", line 110, in application\\n    response = frappe.api.handle(request)\\n  File \\\"apps/frappe/frappe/api/__init__.py\\\", line 49, in handle\\n    data = endpoint(**arguments)\\n  File \\\"apps/frappe/frappe/api/v1.py\\\", line 42, in create_doc\\n    return frappe.new_doc(doctype, **data).insert()\\n  File \\\"apps/frappe/frappe/model/document.py\\\", line 282, in insert\\n    self.check_permission(\\\"create\\\")\\n  File \\\"apps/frappe/frappe/model/document.py\\\", line 218, in check_permission\\n    self.raise_no_permission_to(permtype)\\n  File \\\"apps/frappe/frappe/model/document.py\\\", line 239, in raise_no_permission_to\\n    raise frappe.PermissionError\\nfrappe.exceptions.PermissionError\\n\"]",
	"_server_messages": "[\"{\\\"message\\\": \\\"User <strong>Guest</strong> does not have doctype access via role permission for document <strong>Customer</strong><br>User <strong>Guest</strong> does not have access to this document\\\", \\\"title\\\": \\\"Message\\\"}\"]",
	"_error_message": "Insufficient Permission for Customer (<strong>create</strong>)"
}

it’s look like even the Authentication is provided it is detected as a guest request. is there is any other way to get the expected outcome without using password based authentication it is not align with my use case.

Version info:

  • NestJS
  • ERPNext v15.15.0
  • Frappe Framework v15.17.0
2

Hi @migara_m:

Are you encoding the token (Base64)?

1 Like
3

token with api_key and api_secret is fine if it is server to server communication. It is not expected to generate the keys with every request like OAuth2/OIDC Bearer Token. Simple setup and you can continue what is done. Try the same request in Postman to comfirm it works.

If you need user “authorization”, use create OAuth Client in frappe and use access tokens generated by it. Refer Frappe OAuth 2 Documentation.

4

Hi,
I tried that too, not working

image
image1860×465 100 KB

5

ERPNext rest-api
We are doing a M2M integration,

hence prefer to go down the basic authentication method. I’ve tried both the token "Authorization: token xxxx:xxxx" method and basic Authentication method too (Base 64 encoded clientId:secret as the Authorization header) which too doesn’t seem to work. We’ve tried this in Insomnia, Postman and programatically too.

My observation is regardless of the Authorization header being available, requests doesn’t seem to get authenticated, hence the error message with the text 'does not have doctype access via role permission for document <strong>Customer</strong>'.

However, the user API credentials used in accessing this API are generated for an System User type with permission to all modules/roles.

How do I go on about debugging this further? Are there any configurations that needs to be done on Fraffe/ERPNext setup to enable the APIs?

6

Hi @migara_m:

There is no other configuration needed here …
It’s working. Check roles again (maybe have used role profile at user creation …) and use “Basic encoded_api_key:api_secret”

image
image1147×676 35.3 KB

image
image1212×690 38.7 KB

Hope this helps.