(Answered) Verify _XFToken to user id or username

Adam K M

Active member
Hello,

I'm currently making a custom add-on for my forum, and a part of it is where it communicates with an outside source for storing/editing data. (I'm a homegrown php coder, and haven't learned MVC, so using a complete integration with XF is not really an option here). However, I want to make sure that the data being sent - say when a user is editing a post, is actually secure. To my knowledge, XenForo confirms this using the _xfToken field for posts, searches, etc., which I also want to use (since it's already set up, and secure).

So, the big question is:
Where can I verify/confirm that a _xfToken is actually the correct _xfToken for the username who submitted it? I can't seem to find it in the Forum MySQL Database, or in the XenForo Library files. What class/function handles this in XenForo?

Thanks!
 
In XenForo_Controller the function: _checkCsrfFromToken is may help.
Why yes it does! Thanks a ton!

Now it looks like all I have to do is extend that class, play around with the method which returns the user token (in the case of the original class, XenForo_Visitor::getInstace(); ) to just accept an ID or username, and we should be good to go! Woot woot.
 
Thanks to @Nobita.Kun, I am well on my way to getting through most of this.

For future for anyone who's doing something similar to this.
After doing some digging around, I have two options:

Boot up my own instance of XenForo, or create an add-on which will let me do API like queries to it, and return whether or not the access is valid, which I think is what I will be doing.

My other option would be to re-create the code from the Visitor.php (and ArrayAccess class) which generates the hash code of the csrf token, as well as the _checkCsrfFromToken class, to create a completely independent system. Since I personally can't actually find the class which visitor.php implements (ArrayAccess), this option is not available to me.
 
Have you checked out the api addon? It has auth features. Ive not looked much myself but it seems on the right path. Ill be using using something similar to tie the forum to a nodejs backend for real time items.
 
Have you checked out the api addon? It has auth features. Ive not looked much myself but it seems on the right path. Ill be using using something similar to tie the forum to a nodejs backend for real time items.
If you're referring to XenAPI, while it does have an "authenticate" call, where you send user login information to the system and it returns a hash if that user information is valid. To my knowledge, this 'hash' is something for cookies and has nothing to do with the _csrf token.

There is only one part of the XenAPI plugin which returns a _csrf token and that is when a user is being registered. To be exact, when the user is fresh in the datawriter:
PHP:
  // Line: 4176  
  // Get the User as a variable:
        $user = $writer->getMergedData();
Perhaps I'll pursue this if my other methods fail. It's like playing hide-and-seek to find where this mystic _csrf token is stored.

Edit: Scratch that, I'm going to follow the trail... so far I've been through XenForo_DataWriter_User, now onto XenForo_DataWriter...
 
@muffinjello Are you looking for where the csrf_token is stored for an user? If I recall correctly there should be a column named "csrf_token" under the "xf_user_profile" table, the value length should be exactly 40 characters.
 
@muffinjello Are you looking for where the csrf_token is stored for an user? If I recall correctly there should be a column named "csrf_token" under the "xf_user_profile" table, the value length should be exactly 40 characters.
OH MY GOD.
THANK YOU!!!!

Tsk. What a pity, going to have to do some processing on the passed token data to get it to match the one saved in the database. But! At the very least I now know that it's there.
 
Last edited:
OH MY GOD.
THANK YOU!!!!

Tsk. What a pity, going to have to do some processing on the passed token data to get it to match the one saved in the database. But! At the very least I now know that it's there.
No problem!

You could check the source because I reckon that there's a method that does that already, I don't have a xf installation nearby so I can't check.

Either way, that should be enough for you to get things done, hopefully!
 
Top Bottom