1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Want to make sure XenForo can meet my needs before purchase.

Discussion in 'XenForo Pre-Sales Questions' started by SethAten, Aug 27, 2013.

  1. SethAten

    SethAten Member

    I'm looking to buy Xen, the demo was easy enough and XenForo has taken over the internet, used on nearly every forum I've visited in the past several months. One thing I do need to clarify before I jump though....

    I intend to use the XenForo user database in my forum as a Master for a a Single Sign-On architecture. Therefore I need a way for other applications to authenticate against it. With SMF, this can be achieved with a query such like this:

    SELECT `email_address` AS `email` FROM `forum_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))

    Can this or similar be done with XenForo? From what I've Googled, XenForo is not this easy and requires extra APIs and such. However, one of my intended slaves is the Anope IRC services, and this cannot(to my knowledge) use those APIs and requires MySQL.
  2. Mike

    Mike XenForo Developer Staff Member

    The short answer is that it's not that simple. XenForo supports a number of authentication methods and is totally pluggable. The default system uses bcrypt as well, so you won't be able to do it in a query. You'd need to involve PHP/API calls.
    Adam Howard likes this.
  3. SethAten

    SethAten Member

    OK, so what's the long answer? Is there a pre-existing method to use an authentication system that I could use via query? Or, on a brainstorm, a plugin or such to dump user information to a usable table on a cron job or data change?
  4. Jeremy

    Jeremy Well-Known Member

    The easiest (and recommended way) is to use the XenForo_Authentication classes provided with the software, since each user (depending on where they come from) could potentially have a different password scheme within the database. Its relatively simple to just build out a small script to initialize everything necessary and to verify the authentication.
  5. SethAten

    SethAten Member

    "Depending on where they come from"? Well, they would all register from XenForo. Anyways, I've spoken on the Anope dev channel, it's MySQL or bust, there is no way for it to use an HTTP API currently; and I'd rather make one(the forum) database more accessible than remake every possible application to support XenForo. The same can be said for my planned game integration..while the server could be made to use the API, I feel that a direct MySQL query would be more responsive than the public facing web server.

    If it can't be done, it can't be done, and I'll just keep going with SMF despite everyone berating me for its "open source security holes". :D
  6. Digital Doctor

    Digital Doctor Well-Known Member

  7. Digital Doctor

    Digital Doctor Well-Known Member

  8. Jeremy

    Jeremy Well-Known Member

    If you aren't importing users, they will all have the same authentication scheme until XenForo changes it. Currently, XenForo uses the following bcrypt. As Mike said, this is also pluggable so I could create users through my add-on and give them a password scheme that uses MD5 or another hashing system.
  9. SethAten

    SethAten Member

    OK, so the question is, is there now or could I commission one cheap, a plugin/add-on/method/class to get the user authentication scheme to use something "readable" like SHA1(like the example in the OP uses) so that I can authenticate a user and fetch a static identifier(something that never changes, like an ID number) in a single query.
  10. Jeremy

    Jeremy Well-Known Member

    If you'd like to modify the class, it shouldn't be too difficult to modify XenForo to always use the class you'd like. However, if you don't go through XenForo's authentications, you won't gain a valid XenForo session.
  11. SethAten

    SethAten Member

    Well, the other applications do not need a XenForo session, they just need to know that UserX attempting to login with PasswordX is correct(or not :p) So the application will use its own query(not using XenForo, just MySQL) with the attempting username and attempting password(or password hash) against the XenForo user table and if it gets back a unique/static ID, considers the auth a success and let's them in, else fail.

    Maybe I'm not explaining the situation clearly enough? I dunno, it's a problem with me, I tend to explain things how I see them and not the general eye.


    The intended process.

    User registers with forum.
    User password is store alongside username,e-mail and other info including a unique id(usually the generic "id" column found in a lot of MySQL tables)
    XenForo operates normally.
    User discovers our IRC server, joins and is asked to identify with forum password.
    User gives the IRC "nickserv" his forum password.
    Nickserv runs SQL query
    SELECT `email_address` AS `email` FROM `XENFORO_members` WHERE `member_name` = NAME AND `passwd` = SHA1(CONCAT(LOWER(NAME), PASSWORD))
    If MySQL hands back e-mail address, consider auth a success.
    Last edited: Aug 27, 2013
  12. Jeremy

    Jeremy Well-Known Member

    Then yes, you will be able to create an add-on that accomplishes the necessary changes to the software to be able to query it directly.
  13. SethAten

    SethAten Member

    Very well. I will probably make my purchase in the coming weeks. I guess after then I will have access to the necessary places to request such an add-on to be made.

    Thanks :D
  14. Reeve of Shinra

    Reeve of Shinra Well-Known Member

    The good news (so to speak) is that there are several mods that deal with single sign on -- from bridges to wordpress, SSO between XF installs, and even an addon that authenticates STEAM users. So I am sure someone could code what you need for your specific environment.

Share This Page