Page 1 of 1

Is there an API?

Posted: Sat Apr 09, 2016 4:01 pm
by rrbailey89
My question may not be in the write spot. Essentially I operate a bot in a community. This bot is very multipurpose. I would like my bot to also be able to post updates and other useful information on my own forum. The bot is coded in node.js. My question is is there an API for phpbb? How could I go about having the bot login and then navigate to the thread I want it to post in? And furthermore how would I go about actually haveing it post?

Re: Is there an API?

Posted: Mon Apr 11, 2016 10:17 am
by australianwriters

Re: Is there an API?

Posted: Mon Apr 11, 2016 5:36 pm
by Senky
Check this out:
https://area51.phpbb.com/docs/dev/31x/cli/index.html
For now, it lacks many functions, but you can add it by custom extension you write.

Re: Is there an API?

Posted: Mon Apr 11, 2016 6:47 pm
by nicofuma
For now there isn't any API. You would have to use a crawler to navigate through the forum. Someone else was working on an API a while ago but it never went so far mainly because it is hard due to our current auth system. But we don't forget that and maybe someone will have time and motivation to work on that for 3.3 (will mostly be a restful API using jwt and/or oauth2 for the authentication)

Re: Is there an API?

Posted: Mon Apr 11, 2016 6:53 pm
by rrbailey89
nicofuma wrote:For now there isn't any API. You would have to use a crawler to navigate through the forum. Someone else was working on an API a while ago but it never went so far mainly because it is hard due to our current auth system. But we don't forget that and maybe someone will have time and motivation to work on that for 3.3 (will mostly be a restful API using jwt and/or oauth2 for the authentication)
That would be great. Things become significantly more difficult when you have to reverse engineer to figure out how to get it to work.

Re: Is there an API?

Posted: Mon Apr 11, 2016 7:01 pm
by nicofuma
For now you can use a Web crawler. You just need to fill the forms and follow the links (like any user)

Re: Is there an API?

Posted: Mon Apr 11, 2016 7:09 pm
by rrbailey89
nicofuma wrote:For now you can use a Web crawler. You just need to fill the forms and follow the links (like any user)
That unfortunately is not the automated solution that I am looking for. Ideally I would like to execute my bots command like so:

Code: Select all

!last 5
And the bot takes last 5 comments from our clients chat history. Logs into its predefined bot account on my forum navigates to the correct forum and posts the last 5 messages.

Re: Is there an API?

Posted: Mon Apr 11, 2016 9:01 pm
by australianwriters
If you know the forum and (if appropriate) topic IDs (which you can get with trivial ease), you don't need to crawl anything or fake the log-in process. See the links provided above.

Re: Is there an API?

Posted: Mon Apr 11, 2016 11:34 pm
by rrbailey89
australianwriters wrote:If you know the forum and (if appropriate) topic IDs (which you can get with trivial ease), you don't need to crawl anything or fake the log-in process. See the links provided above.
I don't understand. Those are core functions of phpbb and therefore I should not be able to interact with them from outside the forums environment with a bot... Right?

Re: Is there an API?

Posted: Mon Apr 11, 2016 11:59 pm
by australianwriters
Wrong. Please look at the link I provided earlier. I've done pretty much what you want to do.

Re: Is there an API?

Posted: Sun Apr 17, 2016 8:10 pm
by gn#36
To use these functions, you need to be inside phpBB, really. Otherwise a lot of stuff won't work. But you can use a webcrawler, which needs to login, and then can call the posting form and post it. Since all adresses will stay the same, the only things you will need apart from the crawler is the topic ID of the topic to post to and a user account for the bot. The bot can use that account to login and navigate to the posting form. It can then retrieve the Form Token that protects from CSRF and send it with the post to the server, phpBB handles the rest itself.

You essentially need to build a spambot, except it is probably not spam what you are posting. The main component of that is a webcrawler that can retrieve other websites and send data to them and possibly receive and send cookies or at least append the session ID to the urls or send it with the form.

I don't know node.js too well, but I would expect there is some tool that can achieve this easily. phpBB uses a webcrawler for testing, so you can have a look at the functional tests of phpBB to see what that does.

Re: Is there an API?

Posted: Tue Dec 26, 2017 5:19 pm
by plantrob
With apologies for waking up an old thread...
Like the original poster, I'm a member of a community that uses a phpbb forum, and post automated updates to specified threads. I used a bot-based login-and-post approach as mentioned above. The community recently migrated to a new server and updated to the most recent version of phpbb in the process - and my ability to post appears to have gone away. I already figured out that there is now a post token, and have included it in my post data - and also tried supplying some of the other new parameters present on the latest form (topic_cur_post_id, lastclick, show_panel, creation_time). But I get the message "The submitted form was invalid. Try submitting again." every time. Any ideas on what I'm missing?

Re: Is there an API?

Posted: Tue Dec 26, 2017 8:32 pm
by gn#36
If you want to stick to your login based approach (e.g. because you are posting from a different server), you should take a look at the code locations where this message is output:
https://github.com/phpbb/phpbb/search?q ... =%E2%9C%93

Possible reasons for this message during posting: I didn't see any other usual location where the message was used during evaluation of posting information, so you probably did something wrong for the form key evaluation. You can find the executed code here.

From a look at the code you have to take care of at least the following:
  • correct form name
  • creation_time
  • form_token
  • Identical user login (i.e. keep session ID)
  • The timespan between creation_time and now() must be at least 1 second (on server side of course), at most the value of $config['form_token_lifetime']
So I would assume, if you took care of all variables and the login (which also already will need a correct form key), that you simply don't have enough time between the download of the posting page and the submit. Since the creation_time is part of the form key, you cannot trick this page, unless you also know the users user_form_salt and user_id on the other script.

Alternatively, you could also create a phpBB cronjob for creating the posts and use the phpBB APIs for inserting the posts.

Re: Is there an API?

Posted: Tue Dec 26, 2017 10:07 pm
by plantrob
Thanks a million for taking the time to write that. I'm still not there, but now I understand better how the form is supposed to work, especially the creation_time bit. I modified my code to read that parameter from the supplied form instead of self-populating it, and introduced a 1.5-second delay in my posting method - but am still getting the error. Even though it's on a different server, I do have access to the phpbb code, so I'll have to do some debugging on the far end to figure out what I'm doing wrong. With your help, at least I know where to start looking.
Added: got it working now - thanks again.

Re: Is there an API?

Posted: Tue Dec 26, 2017 10:38 pm
by gn#36
For better debugging, creation_time should be simply a unix timestamp. Also make sure your script is using the same transfer method as the form for each parameter. The function checks explicitly, whether they are sent via POST, not GET.

If you are interested, how the form check is added to the form, that code is in the function above, add_form_key.

By the way, that function contains phpBB hooks, so that you could use it to pass additional information to your script when the form is created. You could for example add more hidden fields. Just be careful not to pass on any secret information (such as the user form salt for example, which ensures that you cannot bypass the security check by recalculating new timestamps and hashes by being unknown to an attacker) that may compromise the security of your board. But if you find that you need additional information from phpBB in your script, you could put it into the hidden fields. Unfortunately, there is no such hook in the checking part, so you cannot bypass the check using that additional information without editing phpBB core code.