-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Allow user to continue as Guest if API key validation fails #15161
Conversation
Add use-case and bit more information for reviewers. https://github.com/frappe/erpnext/wiki/Contribution-Guidelines Mark "ready for review" when done. |
LGTM. |
Codecov Report
@@ Coverage Diff @@
## develop #15161 +/- ##
===========================================
- Coverage 53.73% 44.97% -8.77%
===========================================
Files 746 746
Lines 65176 65176
Branches 5423 5423
===========================================
- Hits 35025 29311 -5714
- Misses 26835 32549 +5714
Partials 3316 3316
Flags with carried forward coverage won't be shown. Click here to find out more. |
I get what you're saying but I think for a person who is genuinely trying to login using an API key and secret, raising |
Is there any way, we can skip this for OAuth ? I am not quite sure, if we can skip based on api paths ?
Makes sense. Any ideas, how we could proceed on this ? Or do we need to wait for some consensus for the route we need to take ? |
Would something like this work? #15166 |
More context from https://discuss.erpnext.com/t/oauth-integration-of-frappe-with-apache-superset/83085/13:
|
@revant Is there a way to identify from the request that it's OAuth and not API authentication? |
I think, when the get_token api is called, even the OAuth Bearer token does not exist, so oauth will also not work. @revant - Is this understanding correct ? |
not really.
Any way to allow Basic Auth header and not fail at api.py? if #15166 does that, its fine too.
There are 2 general ways to get token,
Frappe can accept 1st method. If apache superset has way to authenticate token endpoint using body param instead of header. |
What if we just ignore API authentication of any kind for that specific endpoint ( |
Thank you all for the help. |
Allow user to continue as Guest if API key validation fails
Background for change:
Additional context - https://discuss.erpnext.com/t/oauth-integration-of-frappe-with-apache-superset/83085/15