XenAPI - XenForo PHP REST API

XenAPI - XenForo PHP REST API 1.4.2

No permission to download

carlosecg

Member
I installed this on my server, set a random api key. All working, but I was able to read private threads and posts as a guest. Am I doing anything wrong?
 

BoostN

Well-known member
Is there a way to show the amount (if any) of errors as found in the AdminCP? (server errors).
 
Ive gone through most of the posts here on this thread now looking for a solution to my problem. I cant seem to figure out a way to check if a user is logged in or not? I have a feeling its not that simple but if someone could point me in the right direction it would be greatly appreciated.
 

Nathan Soares

New member
Ive gone through most of the posts here on this thread now looking for a solution to my problem. I cant seem to figure out a way to check if a user is logged in or not? I have a feeling its not that simple but if someone could point me in the right direction it would be greatly appreciated.
you can send a getUser with the hash of authenticate
 

Helladen

Member
PHP7 is broke cause break; lines, just remove these each time you get the line error this happens when you throw an error. I went ahead and removed all break; that come after throwError in the entire file. Basically, replace your api.php with this one and update the RestAPI key with your own. I edited mine back to the default one that comes with it.

Here's the pull request author. :O https://github.com/Contex/XenAPI/pull/61
 

Attachments

  • api.php
    256.9 KB · Views: 6
Last edited:
My question is is there any way I could validate if "authenticate hash" is correct with some external software, like I get the hash in my C# app and check if it's correct
 
My goal is after I get the hash, to check if it's correct. Like if someone tries to redirect the link to the api and fakes a hash, how can I check that the hash I get as a response from the api is a valid one?
 

Helladen

Member
My goal is after I get the hash, to check if it's correct. Like if someone tries to redirect the link to the api and fakes a hash, how can I check that the hash I get as a response from the api is a valid one?

The API returns a hash when you authenticate a user. You don't want to login using a hash. You want to have them input a username/password then you can verify if it works or not.

This is the code I use to authenticate a user.
Code:
     sAddress = "https://hitsparkinteractive.com/api.php"
     
     addrParams = "action=authenticate"
     addrParams = addrParams & "&username=" & Username
     addrParams = addrParams & "&password=" & Password
     
     Set HTTP = New WinHttpRequest
     HTTP.Open "GET", sAddress & "?" & addrParams, False
     HTTP.SetTimeouts 250, 250, 250, 3000
     HTTP.Send


This is the code after I received the hash.
Code:
     sAddress = "https://hitsparkinteractive.com/api.php"

     addrParams = "action=getUser"
     addrParams = addrParams & "&hash=" & Username & ":" & TempPlayer(index).Hash
   
     Set HTTP = New WinHttpRequest
     HTTP.Open "GET", sAddress & "?" & addrParams, False
     HTTP.SetTimeouts 250, 250, 250, 1000
     HTTP.Send
   
     retJSON = HTTP.ResponseText
     Set HTTP = Nothing

I run a legacy server that uses VB6, but C# is pretty easy to do the same thing.
 
You seem to not understanding me. I require username and pass and I successfully get the hash. My problem is checking if the hash is correct.
 

Helladen

Member
You seem to not understanding me. I require username and pass and I successfully get the hash. My problem is checking if the hash is correct.

You don't do that. You are the one not understanding this API. You use actions like I showed above. You don't need to authentication or check again. The HASH is checked for each action automatically. The HASH is unique and not something you need to verify.
 
The HASH is unique and not something you need to verify.
That's what I needed. I'm aware that I don't need additional checks of the hash, but let's say someone manages to reroute the api address to somewhere else that returns a random hash. That's why I need an additional check
 

Helladen

Member
The HASH is unique and not something you need to verify.
That's what I needed. I'm aware that I don't need additional checks of the hash, but let's say someone manages to reroute the api address to somewhere else that returns a random hash. That's why I need an additional check

I see. There's API passwords that you can use. There's a unique password in the file (API.php), I believe this is secure. If it isn't, then you probably need to use that password along with the HASH to secure it using the API.php. I am not sure on this though, sorry.
 
Top