• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Want to make sure XenForo can meet my needs before purchase.

#1
I'm looking to buy Xen, the demo was easy enough and XenForo has taken over the internet, used on nearly every forum I've visited in the past several months. One thing I do need to clarify before I jump though....


I intend to use the XenForo user database in my forum as a Master for a a Single Sign-On architecture. Therefore I need a way for other applications to authenticate against it. With SMF, this can be achieved with a query such like this:

SELECT `email_address` AS `email` FROM `forum_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))

Can this or similar be done with XenForo? From what I've Googled, XenForo is not this easy and requires extra APIs and such. However, one of my intended slaves is the Anope IRC services, and this cannot(to my knowledge) use those APIs and requires MySQL.
 

Mike

XenForo developer
Staff member
#2
The short answer is that it's not that simple. XenForo supports a number of authentication methods and is totally pluggable. The default system uses bcrypt as well, so you won't be able to do it in a query. You'd need to involve PHP/API calls.
 
#3
OK, so what's the long answer? Is there a pre-existing method to use an authentication system that I could use via query? Or, on a brainstorm, a plugin or such to dump user information to a usable table on a cron job or data change?
 

Jeremy

Well-known member
#4
The easiest (and recommended way) is to use the XenForo_Authentication classes provided with the software, since each user (depending on where they come from) could potentially have a different password scheme within the database. Its relatively simple to just build out a small script to initialize everything necessary and to verify the authentication.
 
#5
"Depending on where they come from"? Well, they would all register from XenForo. Anyways, I've spoken on the Anope dev channel, it's MySQL or bust, there is no way for it to use an HTTP API currently; and I'd rather make one(the forum) database more accessible than remake every possible application to support XenForo. The same can be said for my planned game integration..while the server could be made to use the API, I feel that a direct MySQL query would be more responsive than the public facing web server.

If it can't be done, it can't be done, and I'll just keep going with SMF despite everyone berating me for its "open source security holes". :D
 

Jeremy

Well-known member
#8
If you aren't importing users, they will all have the same authentication scheme until XenForo changes it. Currently, XenForo uses the following bcrypt. As Mike said, this is also pluggable so I could create users through my add-on and give them a password scheme that uses MD5 or another hashing system.
 
#9
OK, so the question is, is there now or could I commission one cheap, a plugin/add-on/method/class to get the user authentication scheme to use something "readable" like SHA1(like the example in the OP uses) so that I can authenticate a user and fetch a static identifier(something that never changes, like an ID number) in a single query.
 

Jeremy

Well-known member
#10
If you'd like to modify the class, it shouldn't be too difficult to modify XenForo to always use the class you'd like. However, if you don't go through XenForo's authentications, you won't gain a valid XenForo session.
 
#11
Well, the other applications do not need a XenForo session, they just need to know that UserX attempting to login with PasswordX is correct(or not :p) So the application will use its own query(not using XenForo, just MySQL) with the attempting username and attempting password(or password hash) against the XenForo user table and if it gets back a unique/static ID, considers the auth a success and let's them in, else fail.

Maybe I'm not explaining the situation clearly enough? I dunno, it's a problem with me, I tend to explain things how I see them and not the general eye.

EDIT:

The intended process.

User registers with forum.
User password is store alongside username,e-mail and other info including a unique id(usually the generic "id" column found in a lot of MySQL tables)
XenForo operates normally.
User discovers our IRC server, joins and is asked to identify with forum password.
User gives the IRC "nickserv" his forum password.
Nickserv runs SQL query
Code:
SELECT `email_address` AS `email` FROM `XENFORO_members` WHERE `member_name` = NAME AND `passwd` = SHA1(CONCAT(LOWER(NAME), PASSWORD))
If MySQL hands back e-mail address, consider auth a success.
 
Last edited:

Jeremy

Well-known member
#12
Then yes, you will be able to create an add-on that accomplishes the necessary changes to the software to be able to query it directly.
 
#13
Very well. I will probably make my purchase in the coming weeks. I guess after then I will have access to the necessary places to request such an add-on to be made.

Thanks :D
 

Reeve of Shinra

Well-known member
#14
The good news (so to speak) is that there are several mods that deal with single sign on -- from bridges to wordpress, SSO between XF installs, and even an addon that authenticates STEAM users. So I am sure someone could code what you need for your specific environment.