XF 1.2 XenForo Obtaining API and Secret Keys

K

kenjw

New member
I am wanting to setup a WP DRIVEN - OAuth implementation between WP and Xenforo and after exploring the usual XenForo Forum places I am not enthused by what I have seen so far.

On the POSITIVE side, I see that there is a fantastic REST API http://xenforo.com/community/resources/xenapi-xenforo-rest-api.902/
AND I see that there are some GitHub Pages related thereto.

But I am a bit new to AOuth2 … and I apologise if this seems like a odd question but it seems that all of the the OAuth2 Service Implementation Providers at some time in the setup need to obtain from me an API Key and a Secret Key to enable a connection to XenForo from WP.

Q) Where and/or How do I find the API Key and The Secret Key for my XenForo installation?

Appreciate your help
Best Regards
kenjw
 
Sort by date Sort by votes
XenForo doesn't provide any API key or secret key, Oauth isn't built into the software. If the add-on provides one, you will need to ask support in the add-ons thread.
 
Upvote 0 Downvote
Jeremy said:
XenForo doesn't provide any API key or secret key, Oauth isn't built into the software. If the add-on provides one, you will need to ask support in the add-ons thread.
Click to expand...

So …. calls to the extensive and very powerful API are ALL unprotected then? Anyone can make any call without any security?

That does not look good to me.

Surely there is some security?
If so … what is that security?
If not …. then why is this lack of security permitted?
 
Upvote 0 Downvote
kenjw said:
So …. calls to the extensive and very powerful API are ALL unprotected then? Anyone can make any call without any security?

That does not look good to me.

Surely there is some security?
If so … what is that security?
If not …. then why is this lack of security permitted?
Click to expand...
That is an addon/ 3rd party software...

However if you take a look at the commenting in the code from the github page you can see this which specifies permissions ...

Code: 
class RestAPI {
    const VERSION = '1.3.1';
    const GENERAL_ERROR = 0x201;
    const USER_ERROR = 0x202;
    /**
    * Contains all the actions in an array, each action is 'action' => 'permission_name'
    * 'action' is the name of the action in lowercase.
    * 'permission_name' is the permission requirement of the action, see description under.
    *
    * Permission names and meaning:
    *   - public:        A hash is not required to use this action, it can be used without
    *                    without being 'authenticated'.
    *   - authenticated: The action requires the user to be authenticated to use the action
    *                    with a 'value' argument.
    *   - moderator:     The action requires the user to be a moderator to use the action
    *                    with a 'value' argument.
    *   - administrator: The action requires the user to be an administrator to use the action
    *                    with a 'value' argument.
    *   - private:       User is only allowed to use the action on himself/herself.
    *                    Example: If user tries to use 'getAlerts' with a 'value' argument,
    *                              an error will be thrown.
    *   - api_key:       An API key is required to perform this action.
    *
    * NOTE: Permissions are ignored when the API key is used as a hash, permissions are only
    *       used when the user is using the 'username:hash' format for the 'hash' argument.
    */
    private $actions = array(
        'authenticate'     => 'public',
        'edituser'         => 'api_key',
        'getactions'       => 'public',
        'getaddon'         => 'administrator',
        'getaddons'        => 'administrator',
        'getalerts'        => 'private',
        'getavatar'        => 'public',
        'getconversations' => 'private',
        'getgroup'         => 'public',
        'getnode'          => 'public',
        'getnodes'         => 'public',
        'getpost'          => 'public',
        'getposts'         => 'public',
        'getprofilepost'   => 'authenticated',
        'getprofileposts'  => 'authenticated',
        'getresource'      => 'administrator',
        'getresources'     => 'administrator',
        'getstats'         => 'public',
        'getthread'        => 'public',
        'getthreads'       => 'public',
        'getuser'          => 'authenticated',
        'getusers'         => 'public',
        'register'         => 'api_key'
    );


its not like this thing sits there and makes all your forum data completely public...it fetches data like an api should and when someone is not permitted to access/change data they can't
 
Upvote 0 Downvote
Unless you download it via the customer area, it is to be considered 3rd party and not a XenForo supported release.

As to your second post, you are looking at the official site for Invision Power, which builds IP.Board. They will not be running XenForo.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

K
  • Suggestion Suggestion
Add API Key and OAuth2 client restrictions
Replies
2
Views
572
Kirby
K
STORM0x04
  • Solved
XF 2.2 Google signin Oauth
Replies
1
Views
461
Chromaniac
Chromaniac
nakedzombo
XF 2 Paid: Hiring REST API Xenforo 2 addon.
Replies
0
Views
495
nakedzombo
nakedzombo
C
  • Question Question
XF 2.2 Help with rest api
Replies
0
Views
680
canina
C
ThemeHouse
[TH] OAuth Integration
2 3
Replies
59
Views
3K
Sprisa
Sprisa
Top Bottom