XF 2.2 Using XenForo as authentication for other subdomains

techguy12

New member
Hello all! I'm working on a site that has multiple components - a Xenforo server (e.g. forums.xyz.com), a Laravel API server (api.xyz.com) and a WordPress site (xyz.com). These are all running on the same physical server, but some are using their own web servers. I don't have much experience with Xenforo, which doesn't help matters. Here's the gist:

We intend on using XenForo (forums.xyz.com) to authenticate the user. XenForo's config is set up so that the cookie domains are for .xyz.com.

Most of the code that's accessing the forum user data is in JavaScript on the WordPress site, typically calling the Laravel API server via AJAX.

The issue I'm running into now is how to get the user id from Xenforo (in any way) to use it with the Laravel API call (e.g. "get all orders from user 12345".) Attempting to use XenForo code in the Laravel API to get the userid does not work - the code cannot see the session cookie apparently. If I hit the API directly, it works, but not via AJAX (I'm assuming the session cookie can't be read.) I also tried using XenForo code as a PHP Anywhere "snippet" on WP, but the same issue - the code works directly in the browser, but it's not (for whatever reason) getting a valid session/user and therefore can't get the userid.

If the user has clicked "remember me," I can parse the xf_session value for the id, but that's not a universal solution.

An example of the code:


Code:
require('/var/www/forum/src/XF.php');
\XF::start('/xyz');
$app = \XF::setupApp('XF\Pub\App');
$s = $app->session();
$uid = $s->get('userId');

If anybody had any insights, I'd be very grateful! Thanks!
 
Last edited:

Kruzya

Well-known member

techguy12

New member
Just call REST API method /auth/from-session
It returns many information with user_id:
View attachment 270264

Thanks for the quick response!

I looked into this, and while it is doable, that particular endpoint requires super user permission (per the documentation,) so it seemed like a pretty big security risk. It may still come down to this.
 

Hoffi

Well-known member
I looked into this, and while it is doable, that particular endpoint requires super user permission (per the documentation,) so it seemed like a pretty big security risk. It may still come down to this.
Its the same risk, like you write your Database Password and Host in the config.
To make it more safe you may restrict the api to the subdomain, or IP via your server config.
 

techguy12

New member
Its the same risk, like you write your Database Password and Host in the config.
To make it more safe you may restrict the api to the subdomain, or IP via your server config.
I'm trying this currently, but I'm getting an error. Calling it from Laravel/Guzzle:

Code:
$client = new \GuzzleHttp\Client(['base_uri' => 'https://forums.xyz.com']);
$apiKey = "asdlzjlf21435ja2dvaddexample";
$postInput = ["session_id" => $session_key];

$response = $client->request('POST', 'api/auth/from-session',
    [
        'headers' => [
            'XF-Api-Key' => $apiKey,
            'XF-User-Id'     => '1'
        ],
        ['form_params' => $postInput]
]);



I'm getting a truncated error:

Code:
<!--
    GuzzleHttp\Exception\ClientException: Client error: `POST https://forums.xyz.com/api/auth/from-session` resulted in a `403 Forbidden` response:
    {
        &quot;errors&quot;: [
            {
                &quot;code&quot;: &quot;missing_scope&quot;,
                &quot;message&quot;: &quot;This request requires access to (truncated...)
     in file /mydir/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php on line 113

This is using a super user's API key.
 
Last edited:

techguy12

New member
Farther along - I figured out it was a permissions issue, and apparently found the correct permissions.

It's now throwing an error:
"Required input missing" - Although i have no idea which input is missing.

auth/from-session
Looks up the active XenForo user based on session ID or remember cookie value. This can be used to help with seamless SSO with XF, assuming the session or remember cookies are available to your page. At least one of session_id and remember_cookie must be provided. Only available to super user keys.​


This is pretty confusing - "based on session ID or remember cookie value" and "At least one of session_id AND remember_cookie must be provided."
 
Top