Mackeral_Fillet
Well-known member
I have 25gb of data in the xf_bdapi_log
How can I limit the logging?
How can I limit the logging?
![[bd] API](/community/data/resource_icons/1/1732.jpg?1592293908){kind=icon}
[bd] API 1.6.3
- Thread starter xfrocks
- Start date
xfrocks
Well-known member
New version (which is coming out next week) has the option to set number of days for log. For now, please run "TRUNCATE xf_bdapi_log". Sorry for the inconvenience.
feldon30
Well-known member
So... if someone's only footprint on a XenForo forum is that they login through OAuth, and then the site admin makes them an administrator, then what happens?
xfrocks
Well-known member
Then they are administrator. However, all administrative actions are protected with `admincp` scope so authorization with normal scopes like `read` or `post` won't be able to change system options for example.
xfrocks
Well-known member
This add-on provides api access with XenForo as the master database. If you want a bridge solution for XenForo, you may want to take a look at [bd] API Consumer, for WordPress see this. For both cases, your master site must expose a compatible API.
Abracadaniel
Member
I wonder if ability to see client's API Key and API Secret right at /account/api if somehow unsafe.
Could they be used for forging something? Or "return URL" would be enough to prevent that?
And is it possible to limit /api/ usage to only needed functions?
Or this could be achieved only by limiting URL with .htaccess/nginx rules?
The issue is: right now any guest can just request for example all users and flood this URL to DoS DB.
Could they be used for forging something? Or "return URL" would be enough to prevent that?
And is it possible to limit /api/ usage to only needed functions?
Or this could be achieved only by limiting URL with .htaccess/nginx rules?
The issue is: right now any guest can just request for example all users and flood this URL to DoS DB.
Last edited:
xfrocks
Well-known member
New version has a locked down feature which will required a valid client credentials to access the api. It will be released soon. Regarding the key and secret, it is of not much use. Anyone who gained access to your account will be able to create new client etc. anyway.
Abracadaniel
Member
I created a "Client" from AdminCP, and it appearing in everyones profile. Everyone can see API keys of this client.
Does this works that way? And this wouldn't create any security issues?
My goal is: use xenForo's auth and profile data (nickname) as auth to external php-script by calling oAuth2.0 feature.
Would creating a global "Client" from AdminCP would be right, or every user must create their own client in their profile to be able to auth with forum's account on other service?
xfrocks
Well-known member
No, client created in AdminCP shouldn't reveal its keys in everyone profile. It is a bug if it is the case. I tried to reproduce it but couldn't. Is it doing that for you?
For your goal, you only need one client. Each user can then authenticate their account with the client and your external script can use the token to access the API on behalf of users.
Abracadaniel
Member
I see!
Looks like I mistaken something, guess every member of Administrators group can see API clients at "/account/api", if it was created in AdminCP. Sorry
Abracadaniel
Member
What endpoint need to be used to be able to auth with XenForo's auth in external service?
Does current API allows to grab username and such?
Does current API allows to grab username and such?
xfrocks
Well-known member
You can use http://domain.com/xenforo/api/oauth/authorize, yes you can get information about user amongst other things.
rik
Member
Hi,
thanks for your work on this Add-on. We're currently in the process of migrating from our proprietary authentication API to bdAPI. It was a relatively simple to switch over to oAuth with oAuth Client from "The League of Extraordinary Packages" on the client side.
Here's a sample provider class for oAuth Client which works with bdAPI: https://github.com/mjaschen/oauth2-mtbnews/blob/master/src/Mtbnews.php
If anyone is interested - we translated the bdAPI phrases (1.4.1-BETA from Github) to German (informal). Just download the attachment, unpack it and import it into XenForo. The Github repo with the most current version of the language file is here: https://github.com/mjaschen/xenforo-bdapi-language-german
Best regards
Marcus
thanks for your work on this Add-on. We're currently in the process of migrating from our proprietary authentication API to bdAPI. It was a relatively simple to switch over to oAuth with oAuth Client from "The League of Extraordinary Packages" on the client side.
Here's a sample provider class for oAuth Client which works with bdAPI: https://github.com/mjaschen/oauth2-mtbnews/blob/master/src/Mtbnews.php
If anyone is interested - we translated the bdAPI phrases (1.4.1-BETA from Github) to German (informal). Just download the attachment, unpack it and import it into XenForo. The Github repo with the most current version of the language file is here: https://github.com/mjaschen/xenforo-bdapi-language-german
Best regards
Marcus
Last edited:
xfrocks
Well-known member
This has nothing to do with that bridge. I'm not sure what are you trying to do?
Awesome work
Echelon
Active member
This has nothing to do with that bridge. I'm not sure what are you trying to do?
Awesome work
Ok. I thought i can use the api to let my wordpress blog on the same server but with another url communicate with the wordpress bridge from @LPH . The bridge can only work if the xenforo installation and the wordpress blog are on the same server and the wordpress blog is a subdomein of the xenforo installation
xfrocks
Well-known member
For complete bridge solution, you may consider this https://xenforo.com/community/resources/wordpress-plugin-xenforo-api-consumer.2918/ which I showed you before IIRC.
Echelon
Active member
ok. If this is the solution....is it difficult to install and setup for a non technical guy like me?
Echelon
Active member
+....do i need to use this with the bridge from lph or is this a standalone solution?
