• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Python XenForo Module

#1
Hi everyone,

I have been working on developing a application that needs to link to a XenForo forum. What I needed to do was send a PM to a user to validate they are who they said they are. As a result of which I have written the following python module. If there are any questions please feel free to ask ;)

https://github.com/SteveMcGrath/pyxenforo

[UPDATED: Removed the old wording as this now works \o/]
 

Brogan

XenForo moderator
Staff member
#6
Presumably you have access to the XenForo source code?

In which case are you writing this application for a XenForo customer?
If so, ask them to add your forum account to their customer account and you will then have access to the customer forums.
 
#7
I do not have access to the code. I am not writing this for a XenForo customer. I am simply trying to write a script that will PM a form user by mimicking the post/get requests needed to send a message. this is being done in order to validate that a user is who they say they are from the bukkit forums so that the repository system I am writing (http://bukget.org) doesnt get spammed with fake plugins.
 

Brogan

XenForo moderator
Staff member
#8
Oh I see, so it has nothing to do with XenForo at all.
I misunderstood the "I am trying to write an application external to XenForo" as it would interface with XenForo.

I see what you're doing now.
 
#9
Brogan: Yeah. honestly if I could just get some direction as to what XenForo is doing to handle these requests I could automate this process quite easily. All of my code will be sitting on a different server in a different location so trying to pull directly from the DB is a bad idea. I am using a legit user to perform the actions, its just a matter of walking through the steps.
 

Mike

XenForo developer
Staff member
#11
We use an anti-CSRF token that basically prevents what you're trying to do. You can make requests and scrape it out; you can't generate it. For the most part, you should be able to watch the requests that are made in each step and reproduce them, modifying the bits that change.
 
#12
Mike,

interesting. I'm assuming this is being done in xenforo.js.

Also I have been looking at the POSTs and GETs and in my examples, _xfToken is always ''. If there is another way to handle this that would be great.
 

Mike

XenForo developer
Staff member
#13
The token is generated server side and is different on every page view. You will have a token as a registered user.
 

Mike

XenForo developer
Staff member
#15
I did see that xfToken has a value after I login, however if there is no token when I am trying to login, why am I not getting a f_user cookie set. I do get a IDstack and f_session
You don't need the user cookie; you just need the session. But you don't get the user cookie without clicking the "remember me" button.