Writing an UnAuthenticated API in frappe

luckyabhishek · July 11, 2023, 7:26am

Hi Folks,

I want to create a whatsapp integration for APM. Meta wants me to provide them with an endpoint which can receive GET/POST Requests on Anonymous endpoints.
Frappe provides me with a way to expose REST API using @frappe.whitelist decorator, however it makes it mandatory for the caller to provide with a token. WhatsApp integration can’t fetch that token.

Is there a way to expose anonymous REST API from frappe ?

Thanks, Abhishek

ankush · July 11, 2023, 8:11am

@frappe.whitelist(allow_guest=True) should work.

luckyabhishek · July 25, 2023, 3:40am

Hey @ankush
allow_guest did solve the issue. Here’s a pickle I am in. I wanted this method to be called from a webhook and hence guest works.
However after the API is called, I want to elevate the privilege and create some entities which are available only for a few roles. Is there an API which helps me impersonate admin or some other user for the part of the code in the webhook ?
Abhishek

revant_one · July 25, 2023, 3:57am

There’s no security component in webhook url, if anyone knows the endpoint they can input data. Add a param for security and verify it from settings or config. Or verify request as per api docs. E.g. some api sign the payload with shared secret and endpoint has to verify the payload with shared key.
Set user by calling frappe.set_user("Administrator")

nextgen · July 25, 2023, 4:37am

in hooks you can use somthing like this
auth_hooks = [“hfrr.auth_module.auth_api.Authhookmethood”]

to override the standard authentication and this method will called before calling any whitelist method


def Authhookmethood():
  AuthToken = frappe.get_request_header("WhatsAppToken", "")
  form_dict = frappe.local.form_dict
  request_type = frappe.request.path[1:].split("/", 3)
  frappe.set_user('user1@mysite.com')