Python XenForo Module

SteveMcGrath

New member
Hi everyone,

I have been working on developing a application that needs to link to a XenForo forum. What I needed to do was send a PM to a user to validate they are who they said they are. As a result of which I have written the following python module. If there are any questions please feel free to ask ;)

https://github.com/SteveMcGrath/pyxenforo

[UPDATED: Removed the old wording as this now works \o/]
 

SteveMcGrath

New member
bump. If there is a moderator, can they move this to the proper forum? I am unfortunately not allowed to post anywhere but here.
 

Brogan

XenForo moderator
Staff member
Presumably you have access to the XenForo source code?

In which case are you writing this application for a XenForo customer?
If so, ask them to add your forum account to their customer account and you will then have access to the customer forums.
 

SteveMcGrath

New member
I do not have access to the code. I am not writing this for a XenForo customer. I am simply trying to write a script that will PM a form user by mimicking the post/get requests needed to send a message. this is being done in order to validate that a user is who they say they are from the bukkit forums so that the repository system I am writing (http://bukget.org) doesnt get spammed with fake plugins.
 

Brogan

XenForo moderator
Staff member
Oh I see, so it has nothing to do with XenForo at all.
I misunderstood the "I am trying to write an application external to XenForo" as it would interface with XenForo.

I see what you're doing now.
 

SteveMcGrath

New member
Brogan: Yeah. honestly if I could just get some direction as to what XenForo is doing to handle these requests I could automate this process quite easily. All of my code will be sitting on a different server in a different location so trying to pull directly from the DB is a bad idea. I am using a legit user to perform the actions, its just a matter of walking through the steps.
 

Mike

XenForo developer
Staff member
We use an anti-CSRF token that basically prevents what you're trying to do. You can make requests and scrape it out; you can't generate it. For the most part, you should be able to watch the requests that are made in each step and reproduce them, modifying the bits that change.
 

SteveMcGrath

New member
Mike,

interesting. I'm assuming this is being done in xenforo.js.

Also I have been looking at the POSTs and GETs and in my examples, _xfToken is always ''. If there is another way to handle this that would be great.
 

Mike

XenForo developer
Staff member
The token is generated server side and is different on every page view. You will have a token as a registered user.
 

Mike

XenForo developer
Staff member
I did see that xfToken has a value after I login, however if there is no token when I am trying to login, why am I not getting a f_user cookie set. I do get a IDstack and f_session
You don't need the user cookie; you just need the session. But you don't get the user cookie without clicking the "remember me" button.
 
Reactions: avi
Top