[bd] API

[bd] API 1.6.3

No permission to download
I am also interested in support for 2.1 or better 2.2. :)
The current version works with 2.1. We have a working version for 2.2 which should be available once 2.2 reaches RC.

@xfrocks, thanks for this great add-on.

I downloaded the latest beta from your site (Xfrocks-Api-2.0.1_Beta_1) to play with it using Postman to see if I can use it instead of Xenforo API since Authorization code is the most secure way to authenticate a user to the game as I have done successfully with an another provider.

The Oauth2 Authorization code works fine from authorize step to retrieve the token to access protected resource except when I try to use the token to access the API, I have the following error:

Code:
{
    "status": "error",
    "errors": [
        "You do not have permission to view this page or perform this action."
    ]
}

The Url I call is : http://localhost/community/api/users/me

Could you pinpoint where to look for?

I'm testing against Xenforo 2.1.5a version.

There is minor thing like not displaying the scope at the authorize screen and the auto authorize issue to display the the authorize screen but that's okay as long as it gets the token back.

Attach files so you can try to reproduce it!

Any help is appreciated!

EDIT: Please ignore my request, I made a patch in the beta code to go through the exception to get the response back. Now I can go ahead to work with custom client code to use this cool add-on to authenticate player to the poker game.

UPDATE: You can see a demo of it here: Oauth2 Authorization code using XFRocks bdAPI
Looks like the scope was not setup correctly. You should be able to check the scope of a token in the AdminCP.
 
The current version works with 2.1. We have a working version for 2.2 which should be available once 2.2 reaches RC.


Looks like the scope was not setup correctly. You should be able to check the scope of a token in the AdminCP.
Oh wow, that's fantastic, I did not know this. Are you leveraging the built in XF2 API at all, to reduce your own code-base? Can you confirm this is the version to download?: https://xfrocks.com/resources/bd-api-for-xenforo-2-0.36/ (the file downloaded is API 2.0.1 Beta 1)

Thanks
 
Oh wow, that's fantastic, I did not know this. Are you leveraging the built in XF2 API at all, to reduce your own code-base? Can you confirm this is the version to download?: https://xfrocks.com/resources/bd-api-for-xenforo-2-0.36/ (the file downloaded is API 2.0.1 Beta 1)

Thanks
No, This add-on does not make use of the built-in API subsystem. Since we prioritize backward compatibility with XF1 version.

The link is correct btw.
 
With a fresh install of XF 2.1.1 and API 2.0.1 Beta 4 (also Beta 1) - I can't seem to add a client even after giving Admin group permission to create a client? Manually navigating to "admin.php?api-clients/add" results in "Oops! We ran into some problems. You do not have permission to view this page or perform this action." Is there another permissions setting I'm missing?

Weirdly, going to index.php?account/api does allow API clients to be added?

Edit: Fatal function error fixed (was due to open ssl not being enabled in php.ini).
 
Last edited:
Hi,

So I am a bit confused....

I have a website with an oAuth server. This is where my users create an account and log in.

Can I use this add-on to verify my user's login status, and using my website's oAuth server, create a token so they can automatically be logged in to my Xenforo installation?

Or do I have it backwards?

Thanks.
 
The user group system in XF is pretty unique so it doesn't make sense to expose to external system. In our experience, if you want to sync paid user status, it's simpler to sync user groups (normally user group adds user into special group). This add-on also include websub support so it's pretty efficient.
Yes, that's it, but you can't see anywhere the start and due date of the payment through the Api.
 
Hi,

So I am a bit confused....

I have a website with an oAuth server. This is where my users create an account and log in.

Can I use this add-on to verify my user's login status, and using my website's oAuth server, create a token so they can automatically be logged in to my Xenforo installation?

Or do I have it backwards?

Thanks.

The add-on acts as an OAuth provider, not a consumer. So yes, you did have it backward.

Yes, that's it, but you can't see anywhere the start and due date of the payment through the Api.

Correct, that information is not available. But again, websub should be enough to implement payment status because it will notify your server when the upgrade expires (user is removed from group event).
 
Correct, that information is not available. But again, websub should be enough to implement payment status because it will notify your server when the upgrade expires (user is removed from group event).
yes, the problem is when you had xf1.5 and you have a system based on activation and expiration dates. Now releasing everything on user groups has blocked me. Would it be difficult to implement a print of the user upgrade?
 
Using 2.2.9, when creating the API client, I only see the API Client secret, where do I look for the API Client ID?
I don't recall how I find it back then in XF 2.1.5?
Any help is appreciated?

Updated: Found it!

Now, I need to find out how I can call /api/oauth/token, once the authorize code returns?
No clues and no recall how it was working back then using Postman.
 
Last edited:
Hi again,

More question, when testing the bdAPI using authorization code programmatically, I was unable to keep going further once the authorization code got back to retrieve the token (for some reason it was working fine years ago), however when verify with another provider like discord, I was able to proceed next as I received correctly the token dialog. See screenshot using discord oauth2.

Any idea what could prevent this? Any changes from old version to latest beta version of bdAPI (Xfrocks-Api-2.2.0_Beta_1)?

The error I got back seems like the way data structure is not compliant as does data comes back from discord?
See screen shots (Xf-bdapi-1 and Xf-bdapi-2) after I hit Authorize :
An error occurred reading the OAuth 2.0 Error: JSON parse error: Cannot deserialize instance of java.lang.String out of START_ARRAY token;

I was expecting a token like with Discord (dc response token.jpg) but instead error was thrown in parsing.

I suspect the token data structure may have changed since last I test an old version and my app failed to deserialize the object.

If the API is still maintained, any input is appreciated!

Thanks!

Updated: Finally got it working with latest version of XF 2.2.9 with both Php version 7 and 8, it turned out tokenUri was wrongly configured. In my case, I had to use whatever name, you gave to the folder like awesome-api instead of api as instructed if you want also to use XF rest API key. Man, it was not an easy one.
 

Attachments

  • dc response token.webp
    dc response token.webp
    11.9 KB · Views: 12
  • Xf-bdapi-1.webp
    Xf-bdapi-1.webp
    28.1 KB · Views: 10
  • Xf-bdapi-2.webp
    Xf-bdapi-2.webp
    58.1 KB · Views: 12
  • bdApi-token-request-response.webp
    bdApi-token-request-response.webp
    25.8 KB · Views: 11
Last edited:
Hi again,

Not sure on how many of you use this bdAPI plugin using Oauth2 authorization code but I'm having this weird problem.

Just when I thought it was working fine in local testing and it still does, I encounter error while testing on live site.
Does anyone of you get this kind of error I'm having now?

I have no clues to look as I've have put calling site on whitelist in bdAPI config as wildcard and still does not work.

Here is the problem, while it is working fine on local as bdAPI authorized correctly and returns a token.

But on my live site, once I logged in , authorized it, which means I'm already logged in and instead of returning a token, it generates error telling "You must be logged-in to do that." as if I was not logged in.

So weird, this error is thrown by bdAPI with login_required in one of the method actionRegistrationRequired in error.php but I can't seem to find the cause.


I've check the logged user can skip spam and flood check and nothing in the discouraged or banned ip list.

I'm running apache 2.4 version and nothing special than the default .htaccess which comes in the installation.

Any suggestion how to investigate this? Or is there any specific configuration in the admin control panel where I can put specific ip on whitelist?

I suspect it's probably the IP has been identified as suspicious and 'challenged', thus server flags it and returns a 403.

Meanwhile, I'll try to see how I can add a firewall rule to allow the ip go through.

Any help is greatly appreciated!

Thanks!

Updated:

Good news as I finally got it working , lost several days and lost a lot of sleep trying various things without success.


  • Trying to solve the problem of login issue, I did try install apcu and configure xf to use it, the caching did not help much and neither putting a firewall rule to whitelist ip.
  • I also add some rewrite of www and non www, but no luck too.

And for obscure reasons, the postman call using chrome browser authentication works but not the postman browser which always says that I need to login again.

Just only today I stumbled on one of the threads on github of bdApi that one member having similar problem as he found out that token header got stripped by apache2, so I went to read and applied the solution.

And magically, my custom code now works beautifully as I received the token back to be used with bdApi call


Link to solution

Note: I may not have the problem using nginx but it seems apply specifically to apache2.

Now, what's left to test is how to get the endpoint /users/me working but it's minor thing that can be fixed using xenforo rest api instead.

It has been a painful investigation but worth investing time to understand the cause and I can't thank enough @xfrocks that the latest version of bdAPI works with XF 2.2.9 like a charm.
 
Last edited:
Well done for posting your solutions. I came across similar with the headers being stripped on Apache. This is easily best add-on for being able to login to our own additional sites with the xf user database.
 
Back for one more issue, I think I am able to explain now the error message "You must login to do that".

It was misleading to me as I was already logged in and authorized by consenting the form to go on.

It took me a while to get it, I was looking the problem in other wrong direction and probably it could be a bug from bdApi or may not if it is not intended to be used with unregistered members not allowed to view.

What happens, I have my test site disallow guests to view, if this gets activated, I received an HTTP status 403 Forbidden back.

Once I allow guest to view then it works as expected, I received the token back to call bdAPI rest like /users.

But I do need this feature to force guests to login to view and it seems it does not work with bdAPI without allowing guests to view in group permission.
 
Last edited:
Trying this out with XenforoAuth on Mediawiki and followed some of the user notes in there as well as here but have not had any luck getting this working.

Got the same problem others have come across with the error index.php?title=Special:CreateAccount&returnto=Main+Page Error: Class 'XenForoBDClient\Clients\OAuth2Client' not found

I can't figure out how to get around this in MediaWiki or to fix what's missing.

Anyone got any ideas or managed to get this working with MediaWiki?
 
Ok got the stuff that was missing installed running composer in the dir.

Still unable to get this to work though. Just getting

{
"status": "error",
"errors": [
"The requested page could not be found."
]
}
 
Here is a working version with XF 2.2.9 and latest version of BD API which supports 2.x.
Note: users/me did not work, so I had to use users/{id} to be able to retrieve member's info like avatar.


To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Top Bottom