I looked at XenAPI and other add-ons and none seemed to enable third-party scripts to remotely control XenForo to the degree we needed. Rewriting our web application to use XenForo's login routines was not an option.
I investigated the Login/Logout functions present in XenForo, but they require the hashed password, which is not something a third-party script would (or should) have access to. After 30 hours developing a rather kludgy integration (as you can read about here) there is still no elegant solution for the AdminCP extra login security popup. I also fear that our integration may be "fragile" and be affected by future changes in XenForo. Including such an API out-of-the-box would eliminate this fear.
My suggestion is either:
- Provide a standalone API file like xenforo_api.php which contains fully encapsulated versions of major XenForo functions, and which can be included into a third-party script by passing an encrypted key to perform these functions without the user's password hash:
- Login (creates session, cookies, etc. as needed to fully log a user, mod, or administrator in)
- Logout (ibid.)
- Register User (provide any and all profile fields, including UserID of the user to be created)
- Update User (change the e-mail or password of a user)
- Delete User
- Create Thread
- Create Post
- Provide documentation for third-party integration, and provide a version of the Login function that will accept a 64-bit encrypted "API key" in lieu of the user's hashed password. Also, provide a way to disable the AdminCP extra security login procedure for users that login through the API.