XF 2.2 Using XenForo as authentication for other subdomains

T

techguy12

New member
Hello all! I'm working on a site that has multiple components - a Xenforo server (e.g. forums.xyz.com), a Laravel API server (api.xyz.com) and a WordPress site (xyz.com). These are all running on the same physical server, but some are using their own web servers. I don't have much experience with Xenforo, which doesn't help matters. Here's the gist:

We intend on using XenForo (forums.xyz.com) to authenticate the user. XenForo's config is set up so that the cookie domains are for .xyz.com.

Most of the code that's accessing the forum user data is in JavaScript on the WordPress site, typically calling the Laravel API server via AJAX.

The issue I'm running into now is how to get the user id from Xenforo (in any way) to use it with the Laravel API call (e.g. "get all orders from user 12345".) Attempting to use XenForo code in the Laravel API to get the userid does not work - the code cannot see the session cookie apparently. If I hit the API directly, it works, but not via AJAX (I'm assuming the session cookie can't be read.) I also tried using XenForo code as a PHP Anywhere "snippet" on WP, but the same issue - the code works directly in the browser, but it's not (for whatever reason) getting a valid session/user and therefore can't get the userid.

If the user has clicked "remember me," I can parse the xf_session value for the id, but that's not a universal solution.

An example of the code:


Code: 
require('/var/www/forum/src/XF.php');
\XF::start('/xyz');
$app = \XF::setupApp('XF\Pub\App');
$s = $app->session();
$uid = $s->get('userId');

If anybody had any insights, I'd be very grateful! Thanks!
 
Last edited:
techguy12 said:
The issue I'm running into now is how to get the user id from Xenforo (in any way) to use it with the Laravel API call
Click to expand...
Just call REST API method /auth/from-session
It returns many information with user_id:
1656478709964.webp

REST API | Developer Documentation | XenForo

Developer documentation for XenForo
xenforo.com xenforo.com
xenforo.com

REST API endpoints (2.2)

This document assumes you have already created an API key and setup the necessary headers for your request. Learn more about using the API.
xenforo.com xenforo.com
 
Kruzya said:
Just call REST API method /auth/from-session
It returns many information with user_id:
View attachment 270264

REST API | Developer Documentation | XenForo

Developer documentation for XenForo
xenforo.com xenforo.com
xenforo.com

REST API endpoints (2.2)

This document assumes you have already created an API key and setup the necessary headers for your request. Learn more about using the API.
xenforo.com xenforo.com
Click to expand...
Thanks for the quick response!

I looked into this, and while it is doable, that particular endpoint requires super user permission (per the documentation,) so it seemed like a pretty big security risk. It may still come down to this.
 
techguy12 said:
I looked into this, and while it is doable, that particular endpoint requires super user permission (per the documentation,) so it seemed like a pretty big security risk. It may still come down to this.
Click to expand...
Its the same risk, like you write your Database Password and Host in the config.
To make it more safe you may restrict the api to the subdomain, or IP via your server config.
 
Hoffi said:
Its the same risk, like you write your Database Password and Host in the config.
To make it more safe you may restrict the api to the subdomain, or IP via your server config.
Click to expand...
I'm trying this currently, but I'm getting an error. Calling it from Laravel/Guzzle:

Code: 
$client = new \GuzzleHttp\Client(['base_uri' => 'https://forums.xyz.com']);
$apiKey = "asdlzjlf21435ja2dvaddexample";
$postInput = ["session_id" => $session_key];

$response = $client->request('POST', 'api/auth/from-session',
    [
        'headers' => [
            'XF-Api-Key' => $apiKey,
            'XF-User-Id'     => '1'
        ],
        ['form_params' => $postInput]
]);



I'm getting a truncated error:

Code: 
<!--
    GuzzleHttp\Exception\ClientException: Client error: `POST https://forums.xyz.com/api/auth/from-session` resulted in a `403 Forbidden` response:
    {
        &quot;errors&quot;: [
            {
                &quot;code&quot;: &quot;missing_scope&quot;,
                &quot;message&quot;: &quot;This request requires access to (truncated...)
     in file /mydir/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php on line 113

This is using a super user's API key.
 
Last edited:
Farther along - I figured out it was a permissions issue, and apparently found the correct permissions.

It's now throwing an error:
"Required input missing" - Although i have no idea which input is missing.

auth/from-session
Looks up the active XenForo user based on session ID or remember cookie value. This can be used to help with seamless SSO with XF, assuming the session or remember cookies are available to your page. At least one of session_id and remember_cookie must be provided. Only available to super user keys.​

Click to expand...

This is pretty confusing - "based on session ID or remember cookie value" and "At least one of session_id AND remember_cookie must be provided."
 
You must log in or register to reply here.

Similar threads

wordpressuser1
  • Question Question
Wordpress with Xenforo
Replies
9
Views
3K
kolakube
kolakube
Brent W
How are you using the API in 2.1 with Wordpress?
Replies
9
Views
2K
briansol
B
P
  • Question Question
WordPress Question
Replies
1
Views
2K
FrankPereiro
FrankPereiro
Apokalupsis
WordPress bridge for XF2?
Replies
6
Views
3K
Vertpin1
V
Your Ski Advisor
Other Looking for WP merging help and someone to handle maintenance.
Replies
5
Views
1K
JacquiiDesigns
JacquiiDesigns
Top Bottom