ERPNext Foundation ERPNext Cloud Chat Blog Discuss Frappé* Donate

Creating website user using REST API - without system user session


#1

We are working on an e-commerce app where people will self-register; on registration user, contact and address record needs to be created
Currently - for creating a user we have to first login using system user and create users contact and address

@rmehta @netchampfaris - Please advise


#2

Welcome to ERPNext Bhaskar_Jain

For the sake of courtesy please don’t mention specific users.

This is a voluntary forum and no one is responsible to answer.

thanks


#3

Thanks Clark will keep it that ways in future … Is there any mechanism for the queries to be answered for hosted users?
If i raise any informational ticket i get redirected to this forum and not every-time i find an answer here


#4

If you are a paid hosted account on the erpnext/frappe cloud, then you have access to support by sending your questions to "support@erpnext.com"

Send your questions there from the email account that you used to register with the hosted service and you will get an auto response with your ticket number indicating your issue was passed on to an appropriate technical person to resolve. Normally you have an answer back on the next business day. In the case of holidays in India, it may be the next business day after the holiday.

Hope that helps…

BKM


#5

Hi BKM, my experience so far regarding such queries has been redirection towards forum.

I just want to know if there is a mechanism to create website user without an existing system user session via RPC/REST?


#6

This documentation explains how you can use frappe REST APIs.

Hope this helps, thanks!


#7

Thanks but I am looking for the specific answer and not how to use REST/RPC calls.

We want to create website users using REST API directly and not the current process where:
1) first login with system user by calling REST API
2) create the user, create the customer using system user

  • if we do not create the customer then 2 customer records created!

#8

The system user login is I assume required first to authorize access.

With your self-registration case my guess is you would need to develop your own registration and security procedures.

So your question is what others have done or alternatives for this case…


#9

Thanks Clark.

Getting to know what others have done will be a great start and also understanding how signup is done on POS for visitors


#10

“Getting to know what others have done will be a great start and also understanding how signup is done on POS for visitors”

For sure this is a Q & A gold mine - the best results are a matter of digging around and sharing.

“my experience so far regarding such queries has been redirection towards forum”

Yes I imagine support@erpnext.com deals with production bugs and not implementation support.


#11

It’s not mandatory that the “user account” used to authenticate against Frappe using the REST API be the same as the customer.

In your scenario, just have your app authenticate against a hard-coded account for access to the server. Then deal with creating the customer. I say this with hesitation because there are a set of best practices to follow to do this securely, so I hope you follow best practices if you go down this route. Also, if you go down this route, create a custom role which only gives access to write to the doctypes you need, and nothing else.

Otherwise, the only other alternative is to write your own REST endpoints which you’re not going to be able to do without a pull request on the hosted instance.


#12

felix I have hardcoded and created a custom role but this exposes a bigger security issue. We should allow website signup without authentication and assign customer role that only allows them to create order and payments and read other documents


#13

That is possible if you use the built in customer portal and webshop options. Look at the manual for details on that.

Your question specified using the REST API. Right now, you must be authenticated to use the REST API against ERPNext. I would say that is a very good system design decision and things should remain that way. If you really must use a third party integration to do what you ask, then yes, you do need to hardcode credentials. There are secure ways to do that with enough mitigations in place to minimize risk (ip whitelisting, using middleware to sync, and so on), so that just requires analysis from your architecture team.

If however you absolutely require an unauthenticated endpoint to create website users, then you’ll need to send a pull request to the core erpnext code on github which implements the endpoint.


#14

Mine is a B2C app that allows consumers to register and if I customize the erp-next code that would mean moving away from hosted service and maintaining a new code base.

Design for not allowing website users to be created via authentication seems not a well thought through technical design; Hardcoding credentials would result in serious security issues and overheads for anyone requiring self-registration by users.

I do understand now that the functionality doesn’t exist but people working on both the technical and functional design need to think it through for otherwise a great system.


#15

This is an open source project. Send a pull request to add the endpoint you need. It seems like you have the technical skills to make it happen.