DF 2.4.1 Add extra information upon open registration

After having spent more than 20 hours on trying to solve the issue (oh my gosh I don't believe that!) I think I have come with a what it seems that it works,

My case is that I want to support open registration with confirmation by a client app (i.e. mobile) and while user is registered I want to be able to save some extra information that gets sent over with the registration payload i.e. father name.

Here is what I've done and I was able to save into user custom table of DF.

I created a role called "openRegistartion" with access to the following services :

Service: System
Component: user/
Access: GET
Requester: API

Service: System
Component: user/*
Access: PATCH
Requester: API

Then I created an App let's call it "RegAccessServices" and assigned to it the "openRegistartion" as default role and the App Location set to No Storage Required. I got the API key for the application and then I've written the following V8js script in user.register.post.post_process :

if (event.response.status_code == 200) {

var email = event.request.payload.email;

var url = 'http://127.0.0.1/api/v2/system/user';
url = url + "?api_key=11111111111111111111111111111&fields=id&filter="+encodeURIComponent("email="+email);

var result = platform.api.get(url);

var id = result.content.resource[0].id;
var fathername = event.request.payload.fathername;
var payload = JSON.stringify({
    "user_custom_by_user_id": [{
        "name": "fathername",
        "value": fathername
    }]
});


var options = {
    'headers': {
        'Content-Type': 'application/json'
    }
};

var result = platform.api.patch("http://127.0.0.1/api/v2/system/user/"+id+"?api_key=11111111111111111111111111111", payload, options);

}

and it works!

Issues that I don't like with the above solution :

• I was not able to call platform.api.patch("system/user/{id}") no matter what permissions I gave to the role!!!!
• By giving access to API as requester I have a potential back door for tampering with my data by malicious external API calls. The only thing that eases my worries a bit is the api key that is never revealed to the public.

I hope and I would greatly appreciate it if somebody from DF will answer why I can't use the internal call to platform.api and give some guidance on how to use the internal call format thus I could remove the vulnerability of exposing something that it's not supposed to!