XF 2.0 XenForo SDK/API

[korhox]

Hi.

I was looking SDK or some kind of API for XenForo 2. Is there any built-in bossibility or if anyone is planning to make some kind of script to check in other PHP software, if user is logged in in the same web server where XenForo 2 is installed, and custom made PHP script are installed.

I have had in XenForo 1 installation PHP script that allows users to log in and manage admin panel of our Minecraft server, so staff does not need to remember different accounts.

When I'm talking about SDK, i mean this application that worked on XenForo 1.x: https://xenforo.com/community/resources/xenforo-sdk.2790/

Thank you for your time.

 

[Mike]

As it stands, I don't believe their are equivalent systems updated to the XF2 framework yet. It is likely possible to do something directly as it shouldn't be difficult to initialize the XF framework and "public" part of the app to see the login state.

 

[twhiting9275]

TBH this is something that should really be put out and maintained by XF, as opposed to relying on third party manufacturers to keep up.
Yes, I understand that'd add overhead to dev time, but, this is something that'd really add a bit of value to the product itself.

 

[korhox]

this is something that'd really add a bit of value to the product itself.

I Agree.

 

[indepth]

This gets my vote as well! It is currently keeping us from continuing our license and moving to 2.0, which we were excited about.

Since we use an API to create the XF usernames and profiles when a user subscribes to our site, I don't see any way we could continue with future versions of XF without it.

We are working off a slightly modified version of the old Xenforo SDK seen here if it helps for you to see what type of integration a lot of us are using:
https://xenforo.com/community/resources/xenforo-sdk.2790/

 

[indepth]

Hey @Mike is there any potential movement on this in the foreseeable future? Or should we assume it is not something that XF is currently considering?

 

[Mike]

Most of the discussion has been in the context of a REST API, but that is something we have said is being considered for a future version.

 

[indepth]

Most of the discussion has been in the context of a REST API, but that is something we have said is being considered for a future version.

Thanks for the reply Mike. One last question: are you aware of any changes in XF 2.0 that would prohibit a similar group of external commands from initiating the required modules within the same local account? Any reason to think this couldn't be developed fairly easily by a knowledgeable person in the future?

Honestly, I haven't even tested the old SDK interface with 2.0 since we aren't able to run our site without it (so we haven't upgraded); but I'm assuming it definitely wouldn't work as is unless all the functions/classes have the same names.

 

[Jeremy P]

The old SDK almost certainly wouldn't work on 2.0+. And no, there's no reason that a similar 3rd party SDK/API couldn't be developed by somebody today if they were so inclined. XF is already built as a framework of sorts as it is.

 

[indepth]

The old SDK almost certainly wouldn't work on 2.0+. And no, there's no reason that a similar 3rd party SDK/API couldn't be developed by somebody today if they were so inclined. XF is already built as a framework of sorts as it is.

Thanks Jeremy. Were you using (or are you using) the old Xen SDK on your site? Wondering how many others are in the same boat we are with the version change.

A REST API could work as well, but I didn't like having to pass things like email addresses, usernames and passwords through https in the calls to Curl. Seemed like an unnecessary step and a potential security risk when we developed our site awhile back.

 

[Jeremy P]

Thanks Jeremy. Were you using (or are you using) the old Xen SDK on your site? Wondering how many others are in the same boat we are with the version change.

I'm not personally, but pretty much anybody running any amount of add-ons or custom code on 1.x is in the same boat. It all must be rewritten to be compatible.

A REST API could work as well, but I didn't like having to pass things like email addresses, usernames and passwords through https in the calls to Curl. Seemed like an unnecessary step and a potential security risk when we developed our site awhile back.

That's not strictly necessary with a well-developed REST API. Usually authentication is accomplished through other means besides passing usernames and password around.

 

[korhox]

Hi again!

Is there now days any way to get login state and username in PHP? This would be very critical to my system.

Thanks!

 

[korhox]

Hello!

I've been struggling with this problem until today I came up with following solution:

<?php


   /*
    *
    *    FLOS.FI CP INFRASTRUCTURE
    *    by korho 2018 October
    *
    *    Copyright ® korho.fi 2018
    *
    */


    // BEGIN SET MYSQL SETTINGS
    $mysqlhost = "***";
    $mysqluser = "***";
    $mysqlpass = "***";
    $mysqlbase = "***";
    // END SET MYSQL SETTINGS

    // BEGIN SET POST DATA
    $username = $_POST["username"];
    $password = $_POST["password"];
    // END SET POST DATA



    // BEGIN MYSQL CREATE CONNECTION
    $conn = new mysqli($mysqlhost, $mysqluser, $mysqlpass, $mysqlbase);


    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    if (!$conn->set_charset("UTF8")) {
         echo "Error setting character set to UTF8 " . $mysqli->error;
    }
    // END MYSQL CREATE CONNECTION


    $sql = "SELECT user_id FROM xf_user WHERE username = '".$username."' OR email = '".$username."'";
    $result = $conn->query($sql);

    if ($result->num_rows == 1) {
        while($row = $result->fetch_assoc()) {
            $id = $row["user_id"];
        }
    } else {
         echo "wrong username or password";
    }

    $sql = "SELECT data FROM xf_user_authenticate WHERE user_id = '".$id."'";
    $result = $conn->query($sql);

    if ($result->num_rows == 1) {
        while($row = $result->fetch_assoc()) {
            $data = $row["data"];
        }
    } else {
         echo "password data not found o_O";
    }

    $usData = @unserialize($data);

    if (password_verify($password, $usData['hash'])) {
        echo "login successful";
    } else {
        echo "wrong password";
    }

    // BEGIN CLOSE MYSQL CONNECTION
    $conn->close();
    // END CLOSE MYSQL CONNECTION


?>

Since my code is made with VERY simple way, i hope that someone would found easier, secure or more efficient way to use this idea. Still, using cookies to authenticate would be more efficient way, so that users would not to have login twice, to forum and control panel, this simply works.

EDIT: Bug in code: If using die() before connection is closed, MySQL connection will not be closed and remains open until it timeouts. Please do not use die() in code. Corrected to code above.