1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.2 XenForo Obtaining API and Secret Keys

Discussion in 'XenForo Questions and Support' started by kenjw, Dec 29, 2013.

  1. kenjw

    kenjw New Member

    I am wanting to setup a WP DRIVEN - OAuth implementation between WP and Xenforo and after exploring the usual XenForo Forum places I am not enthused by what I have seen so far.

    On the POSITIVE side, I see that there is a fantastic REST API http://xenforo.com/community/resources/xenapi-xenforo-rest-api.902/
    AND I see that there are some GitHub Pages related thereto.

    But I am a bit new to AOuth2 … and I apologise if this seems like a odd question but it seems that all of the the OAuth2 Service Implementation Providers at some time in the setup need to obtain from me an API Key and a Secret Key to enable a connection to XenForo from WP.

    Q) Where and/or How do I find the API Key and The Secret Key for my XenForo installation?

    Appreciate your help
    Best Regards
  2. Jeremy

    Jeremy Well-Known Member

    XenForo doesn't provide any API key or secret key, Oauth isn't built into the software. If the add-on provides one, you will need to ask support in the add-ons thread.
  3. kenjw

    kenjw New Member

    So …. calls to the extensive and very powerful API are ALL unprotected then? Anyone can make any call without any security?

    That does not look good to me.

    Surely there is some security?
    If so … what is that security?
    If not …. then why is this lack of security permitted?
  4. Jeremy

    Jeremy Well-Known Member

    There is no API in XenForo.
  5. EQnoble

    EQnoble Well-Known Member

    That is an addon/ 3rd party software...

    However if you take a look at the commenting in the code from the github page you can see this which specifies permissions ...

    class RestAPI {
        const VERSION = '1.3.1';
        const GENERAL_ERROR = 0x201;
        const USER_ERROR = 0x202;
        * Contains all the actions in an array, each action is 'action' => 'permission_name'
        * 'action' is the name of the action in lowercase.
        * 'permission_name' is the permission requirement of the action, see description under.
        * Permission names and meaning:
        *   - public:        A hash is not required to use this action, it can be used without
        *                    without being 'authenticated'.
        *   - authenticated: The action requires the user to be authenticated to use the action
        *                    with a 'value' argument.
        *   - moderator:     The action requires the user to be a moderator to use the action
        *                    with a 'value' argument.
        *   - administrator: The action requires the user to be an administrator to use the action
        *                    with a 'value' argument.
        *   - private:       User is only allowed to use the action on himself/herself.
        *                    Example: If user tries to use 'getAlerts' with a 'value' argument,
        *                              an error will be thrown.
        *   - api_key:       An API key is required to perform this action.
        * NOTE: Permissions are ignored when the API key is used as a hash, permissions are only
        *       used when the user is using the 'username:hash' format for the 'hash' argument.
        private $actions = array(
            'authenticate'     => 'public',
            'edituser'         => 'api_key',
            'getactions'       => 'public',
            'getaddon'         => 'administrator',
            'getaddons'        => 'administrator',
            'getalerts'        => 'private',
            'getavatar'        => 'public',
            'getconversations' => 'private',
            'getgroup'         => 'public',
            'getnode'          => 'public',
            'getnodes'         => 'public',
            'getpost'          => 'public',
            'getposts'         => 'public',
            'getprofilepost'   => 'authenticated',
            'getprofileposts'  => 'authenticated',
            'getresource'      => 'administrator',
            'getresources'     => 'administrator',
            'getstats'         => 'public',
            'getthread'        => 'public',
            'getthreads'       => 'public',
            'getuser'          => 'authenticated',
            'getusers'         => 'public',
            'register'         => 'api_key'

    its not like this thing sits there and makes all your forum data completely public...it fetches data like an api should and when someone is not permitted to access/change data they can't
  6. kenjw

    kenjw New Member

  7. kenjw

    kenjw New Member

  8. Jeremy

    Jeremy Well-Known Member

    Unless you download it via the customer area, it is to be considered 3rd party and not a XenForo supported release.

    As to your second post, you are looking at the official site for Invision Power, which builds IP.Board. They will not be running XenForo.

Share This Page