We are setting up a new distribution business that delivers goods directly to consumers (B2C). I want to create a workflow where customer accepts the delivery by clicking on a URL (displayed on the delivery driver mobile) without having to log in to ERPNext. Or signs delivery note with a signature field.
Will appreciate overall guidance on how to setup this workflow. I am comfortable with custom script to send email or sms to transporter / customer mobile. Would like to know how to send URL that allows to confirm delivery - and changes status of delivery note from Submit to Delivered (example).
Hi Muzzamil. I am still looking for solution. Currently we setup flow where driver is handed a printed delivery note at warehouse and he obtains customer signature at time of delivery. He is supposed to return this back to warehouse, where the clerk files it but obviously it is not being done 100% right, 100% of the time.
Will really appreciate it if folks can contribute their thoughts on how to accomplish this. Ideally both the driver and the customer should not have to login to ERPNext. Many customers do not have mobile, do not use the customer portal and drivers for last mile are often free lance and not as organized. Usually most drivers these days have a smart phone - so can receive sms with a url…
How about a QR Code on the Print Out and both the driver and the customer scan the QR Code that leads them to a landing page where they acknowledge delivery. You could have an SMS/Text message go out to them as they land at the landing page and they have to confirm the PIN to authenticate the transaction. Which obviously means that the Customer’s (at least) Phone Number should already be updated on the system. Preferably the drivers too. Of course you will have a bunch of other issues where the customer is not at the receiving location and her/his representative wants to take delivery and now you get into all kinds of jams. It’s always a fine line you have to walk between flexibility and control. I think, rather than the PIN by Text/SMS, the landing page should have a place where the receiver makes an approximate signature. The Landing Page could be a URL that uses RestAPI to fetch from, and push data to ERPNext.
Hey @JayRam - thank you for your thoughts. We actually print a QR code currently on our documents - so our customers can verify the authenticity. The QR Code contains the URL to access the document online. However to access any document in ERPNext it requires user to sign in and access the portal before they can access an invoice or delivery note.
My original query was how to enable access to a delivery note document without requiring customer to sign in? How to build in an authentication code (in the URL) of some kind such that bypasses the ERPNext desk login? It needs to be document specific as any person with access to that URL will be able to see that document.
Second step after that will be also allowing rights to change status of delivery note from submit to delivered / accepted (say). Dont know if this is feasible in ERPNext?
In technical terms, this can be done via an API endpoint (@frappe.whitelist(allow_guest=True)) and saving the document while ignoring permissions (my_doc.save(ignore_permissions=True)).
I am unsure if Frappe has one-time use access tokens built-in for authentication, but that should not be incredibly hard to create either. A new One-Time Use Auth DocType could be made with token and expires columns; one could potentially add a docname part to validate what document that one-time use token has access to. The token generated can be passed
Someone who knows Frappe deeper could share how to add the authentication as middleware. If not, the API function can just manage authentication before changing the Delivery Note status.
In more general terms, it is not extremely difficult to accomplish this. I would recommend building your own Frappe app as a companion to ERPNext (along with any customizations you have done).
Hey @kevinpthorne - I think the token based authentication could / should work. However, I am under the impression that the api_key:api_secret would be visible in the URL (QR Code). Currently our QR code encodes the following URL something like:
so resulting URL to encode into QR code will be: https://erp.domain.com/desk#Form/Delivery%20Note/MAT-DN-20208001 -H "Authorization: "Basic %s" % base64.b64encode(<api_key>:<api_secret>)"
Will appreciate your review… After base64 encoding of the key:secret - will the token be visible / reverse decodable to anybody who has access to the URL? Obviously, we would not want anyone to have access to this token as it may give them access to other documents on the server - the token is not per document - it seems it is per user - fyi…
You are correct. It is difficult to add headers to QR Codes (unless some sort of method could help translate a GET call to a POST with necessary headers…which I would discourage).
I was hoping to use parts of Frappe that are already implemented. The solution I suggested earlier would probably be the best:
Make a DocType called One-Time Token with token, docname (optional) fields.
When the myapp.myapp.mymodule.mark_delivery_note is called, the method should first ensure the token given is valid for the specific document name given (if desired and specified) and deletes after first use. Then the rest of the API function could return the document details, change the status, or do whatever is needed.
If the token needs to be used more than once, a token could expire after time. This could be added by adding an expires DocField.
The URL that would go into QR Codes could look like the following: http://example.org/api/method/myapp.myapp.mymodule.mark_delivery_note?token=abcde12345&docname=mydeliverynotename&myarg=myvalue
Seems not easy to implement - and definitely above my pay grade :-). AS I understand it - ERPNext requires user authentication to access a document. I am unsure if we create an alternate document token system - if it can override the ERPNext std functionality? I see that your original solution does propose to save the document with "allow_guest=True and ignore_permissions=True. Wondering what the implications of that would be…
Lets hope some Frappe expert from the community can add their thoughts. At the end - the question is - can we implement a token access system that is document specific with token expiry (& method of renewal?) and allow a user to access specific document via url without signing in…
