XF 2.3 API clarifications

stromb0li

Well-known member
I am trying to build an app that uses xenforo APIs. Reading the documentation, there are three scopes; Guest, User, and Super User.

When I look at creation of the key, a User key appears to be mapped to a specific user.

If the goal is to be able to mimic XenForo behavior for guests and leverage permissions, based on the user's permissions, do I use a Guest key and uncheck all permissions or do I have to make the key super user?

I don't want the key to be able to impersonate other users, I just want the ability to complete XenForo activities based on my context.
 
If you need to authenticate as multiple users with a single key, you'll need a super user key. Guest keys cannot authenticate as a user, and regular user keys can only authenticate as the selected user. You'll need to select the desired scopes in any case in order to use the key for the pertinent endpoints.
 
Does super user key give someone access as-is to the permissions provided, or does the super user key still assume user authentication?

My concern is if the key becomes compromised, then every user account is compromised, or no, user credentials are still required in addition to the key?

Super User seems synonymous with admin, so using a "super user" key, which would still follow user based permissions, seems misleading?
 
Does super user key give someone access as-is to the permissions provided, or does the super user key still assume user authentication?
If the API key selected is a super-user key, you may pass the user ID of the context user via the XF-Api-User header. If no user ID is passed, the context will default to a guest.

My concern is if the key becomes compromised, then every user account is compromised, or no, user credentials are still required in addition to the key?
Yes, super-user keys are extremely risky and should not be distributed publicly (ie. via client-side JS/apps). API keys are the credential in all cases, whether that's guest, user, or super-user.

Super User seems synonymous with admin, so using a "super user" key, which would still follow user based permissions, seems misleading?
Per the docs above, super-user keys allow authenticating as any user, and optionally bypassing permissions entirely if desired. If you're creating a distributed app of some sort and need users to be able to login as themselves, use OAuth.
 
The scenario I'm going for is building a small mobile app. In this case, which is the best key? I don't want the key to have the ability to impersonate someone, but also want people to login so permissions are evaluated based on what they've been delegated to.
 
I'm so confused. To use the APIs, it says I need the API key, so I assumed I'm stuck to using one of those 3?

"Requests must pass the API key to use via the XF-Api-Key header. This must be present in all requests."
 
The documentation is outdated. OAuth support was introduced in 2.3 and functions in place of an API key:


It's fairly standard. You set up your OAuth client (app) in the control panel and then configure your app using any standard OAuth library of your choice to use the given endpoints, client ID, and secret. If you have any particular questions or issues, feel free to ask.
 
Back
Top Bottom