Mackeral_Fillet
Well-known member
I have 25gb of data in the xf_bdapi_log
How can I limit the logging?
How can I limit the logging?
New version (which is coming out next week) has the option to set number of days for log. For now, please run "TRUNCATE xf_bdapi_log". Sorry for the inconvenience.I have 25gb of data in the xf_bdapi_log
How can I limit the logging?
So... if someone's only footprint on a XenForo forum is that they login through OAuth, and then the site admin makes them an administrator, then what happens?The add-on works as an OAuth2 provider and allow other clients to access user data. No username/password is exposed to the clients (but if the clients know the username/password, they can authenticate user of course). All authorization is done in the public session, it doesn't deal with admin session.
Then they are administrator. However, all administrative actions are protected with `admincp` scope so authorization with normal scopes like `read` or `post` won't be able to change system options for example.So... if someone's only footprint on a XenForo forum is that they login through OAuth, and then the site admin makes them an administrator, then what happens?
This add-on provides api access with XenForo as the master database. If you want a bridge solution for XenForo, you may want to take a look at [bd] API Consumer, for WordPress see this. For both cases, your master site must expose a compatible API.Im wondering if the bridge would work with the login details from our site as the master database which currently runs PHPProbid?
New version has a locked down feature which will required a valid client credentials to access the api. It will be released soon. Regarding the key and secret, it is of not much use. Anyone who gained access to your account will be able to create new client etc. anyway.I wonder if ability to see client's API Key and API Secret right at /account/api if somehow unsafe.
Could they be used for forging something? Or "return URL" would be enough to prevent that?
View attachment 90071
And is it possible to limit /api/ usage to only needed functions?
Or this could be achieved only by limiting URL with .htaccess/nginx rules?
The issue is: right now any guest can just request for example all users and flood this URL to DoS DB.
I created a "Client" from AdminCP, and it appearing in everyones profile. Everyone can see API keys of this client.Regarding the key and secret, it is of not much use. Anyone who gained access to your account will be able to create new client etc. anyway.
No, client created in AdminCP shouldn't reveal its keys in everyone profile. It is a bug if it is the case. I tried to reproduce it but couldn't. Is it doing that for you?I created a "Client" from AdminCP, and it appearing in everyones profile. Everyone can see API keys of this client.
Does this works that way? And this wouldn't create any security issues?
My goal is: use xenForo's auth and profile data (nickname) as auth to external php-script by calling oAuth2.0 feature.
Would creating a global "Client" from AdminCP would be right, or every user must create their own client in their profile to be able to auth with forum's account on other service?
I see!No, client created in AdminCP shouldn't reveal its keys in everyone profile. It is a bug if it is the case. I tried to reproduce it but couldn't. Is it doing that for you?
For your goal, you only need one client. Each user can then authenticate their account with the client and your external script can use the token to access the API on behalf of users.
You can use http://domain.com/xenforo/api/oauth/authorize, yes you can get information about user amongst other things.What endpoint need to be used to be able to auth with XenForo's auth in external service?
Does current API allows to grab username and such?
This has nothing to do with that bridge. I'm not sure what are you trying to do?Anyone has tried the api to work with xenword wp-xenforo bridge?
If so....please tell if it's difficult to install etc
Awesome workHi,
thanks for your work on this Add-on. We're currently in the process of migrating from our proprietary authentication API to bdAPI. It was a relatively simple to switch over to oAuth with oAuth Client from "The League of Extraordinary Packages" on the client side.
Here's a sample provider class for oAuth Client which works with bdAPI: https://github.com/mjaschen/oauth2-mtbnews/blob/master/src/Mtbnews.php
If anyone is interested - we translated the bdAPI phrases (1.4.1-BETA from Github) to German (informal). Just download the attachment, unpack it and import it into XenForo.
Best regards
Marcus
This has nothing to do with that bridge. I'm not sure what are you trying to do?
Awesome work
For complete bridge solution, you may consider this https://xenforo.com/community/resources/wordpress-plugin-xenforo-api-consumer.2918/ which I showed you before IIRC.Ok. I thought i can use the api to let my wordpress blog on the same server but with another url communicate with the wordpress bridge from @LPH . The bridge can only work if the xenforo installation and the wordpress blog are on the same server and the wordpress blog is a subdomein of the xenforo installation
For complete bridge solution, you may consider this https://xenforo.com/community/resources/wordpress-plugin-xenforo-api-consumer.2918/ which I showed you before IIRC.
For complete bridge solution, you may consider this https://xenforo.com/community/resources/wordpress-plugin-xenforo-api-consumer.2918/ which I showed you before IIRC.
We use essential cookies to make this site work, and optional cookies to enhance your experience.