XF 1.2 XenForo Obtaining API and Secret Keys

[kenjw]

I am wanting to setup a WP DRIVEN - OAuth implementation between WP and Xenforo and after exploring the usual XenForo Forum places I am not enthused by what I have seen so far.

On the POSITIVE side, I see that there is a fantastic REST API http://xenforo.com/community/resources/xenapi-xenforo-rest-api.902/
AND I see that there are some GitHub Pages related thereto.

But I am a bit new to AOuth2 … and I apologise if this seems like a odd question but it seems that all of the the OAuth2 Service Implementation Providers at some time in the setup need to obtain from me an API Key and a Secret Key to enable a connection to XenForo from WP.

Q) Where and/or How do I find the API Key and The Secret Key for my XenForo installation?

Appreciate your help
Best Regards
kenjw

 

[Jeremy]

XenForo doesn't provide any API key or secret key, Oauth isn't built into the software. If the add-on provides one, you will need to ask support in the add-ons thread.

 

[kenjw]

XenForo doesn't provide any API key or secret key, Oauth isn't built into the software. If the add-on provides one, you will need to ask support in the add-ons thread.

So …. calls to the extensive and very powerful API are ALL unprotected then? Anyone can make any call without any security?

That does not look good to me.

Surely there is some security?
If so … what is that security?
If not …. then why is this lack of security permitted?

 

[Jeremy]

There is no API in XenForo.

 

[EQnoble]

So …. calls to the extensive and very powerful API are ALL unprotected then? Anyone can make any call without any security?

That does not look good to me.

Surely there is some security?
If so … what is that security?
If not …. then why is this lack of security permitted?

That is an addon/ 3rd party software...

However if you take a look at the commenting in the code from the github page you can see this which specifies permissions ...

class RestAPI {
    const VERSION = '1.3.1';
    const GENERAL_ERROR = 0x201;
    const USER_ERROR = 0x202;
    /**
    * Contains all the actions in an array, each action is 'action' => 'permission_name'
    * 'action' is the name of the action in lowercase.
    * 'permission_name' is the permission requirement of the action, see description under.
    *
    * Permission names and meaning:
    *   - public:        A hash is not required to use this action, it can be used without
    *                    without being 'authenticated'.
    *   - authenticated: The action requires the user to be authenticated to use the action
    *                    with a 'value' argument.
    *   - moderator:     The action requires the user to be a moderator to use the action
    *                    with a 'value' argument.
    *   - administrator: The action requires the user to be an administrator to use the action
    *                    with a 'value' argument.
    *   - private:       User is only allowed to use the action on himself/herself.
    *                    Example: If user tries to use 'getAlerts' with a 'value' argument,
    *                              an error will be thrown.
    *   - api_key:       An API key is required to perform this action.
    *
    * NOTE: Permissions are ignored when the API key is used as a hash, permissions are only
    *       used when the user is using the 'username:hash' format for the 'hash' argument.
    */
    private $actions = array(
        'authenticate'     => 'public',
        'edituser'         => 'api_key',
        'getactions'       => 'public',
        'getaddon'         => 'administrator',
        'getaddons'        => 'administrator',
        'getalerts'        => 'private',
        'getavatar'        => 'public',
        'getconversations' => 'private',
        'getgroup'         => 'public',
        'getnode'          => 'public',
        'getnodes'         => 'public',
        'getpost'          => 'public',
        'getposts'         => 'public',
        'getprofilepost'   => 'authenticated',
        'getprofileposts'  => 'authenticated',
        'getresource'      => 'administrator',
        'getresources'     => 'administrator',
        'getstats'         => 'public',
        'getthread'        => 'public',
        'getthreads'       => 'public',
        'getuser'          => 'authenticated',
        'getusers'         => 'public',
        'register'         => 'api_key'
    );

its not like this thing sits there and makes all your forum data completely public...it fetches data like an api should and when someone is not permitted to access/change data they can't

 

[kenjw]

EQNoble,

Thanks very much for this very complete answer. I was looking at:
http://xenforo.com/community/resources/xenapi-xenforo-rest-api.902/
and thinking this was part of the XenForo supported release. The doc above does not make it very clear that it is an add-on!

Again thanks
Best Regards
kenjw

 

[kenjw]

BTW,

I noticed this:
http://www.invisionpower.com/services/enterprise/single-sign-on

These people seem to have some great stuff. It looks to me like they actually run on XenForo. Is this the case do you know?

Best Regards
kenjw

 

[Jeremy]

Unless you download it via the customer area, it is to be considered 3rd party and not a XenForo supported release.

As to your second post, you are looking at the official site for Invision Power, which builds IP.Board. They will not be running XenForo.