Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

API v2 access errors

eddieray7eddieray7 New
in Vanilla 2.0 - 2.8

I'm trying to use the v2 API to do some simple queries like "categories" and "discussions" and such.

When I to use the "access_token" argument on the URL, it works fine.

When I try to use the Authorization header, it fails with an "you need blah blah access" error.

The docs say:

Authorization: Bearer <token>

I'm replacing with the actual token string and the rest is sent in the header verbatim.

Is "Bearer" supposed to be replaced by something like the username? Does the token need to be base64 encoding (like a Basic Auth header)?

What am I doing wrong?

Comments

  • R_JR_J Admin

    As far as I know that token is the token that you have to create in your profile (under /profile/tokens) when you gave yourself the permission to do so. You only need to set an explicit permission if you are not the admin of the board.

    The API is not able to let users log in and get "personal" content. Each call to the API has to be made with that one token and that is bound to the role of the user.
    In theory you would be able to create a API-user for every single role you have, but normally that is not what you would like to have to do.

    I do not really understand the usefulness of that API...

  • eddieray7eddieray7 New

    I need to do some programmatic posting to move content from our old forums. If the GET parameter works, then that's fine. I was just wondering why the first method recommended in the docs fails to work. I can see the Authorization header being sent by curl but Vanilla seems to not be able to use it... unless I'm doing something wrong.

  • R_JR_J Admin

    I tried, but I didn't succeeded POSTing a discussion with the API, either. o.O

    If it is just that you want to import some content, you might be much faster with simple SQL.

    Look at the GDN_Discussion and GDN_Comment table. If you have no special plugins activated, it should be okay to simply import Body, Format, DateInserted, InsertUserID and Title (for discussions only).

    There are some fields in the database which are wrong after that, mainly the "...Count" rows like e.g. Discussion.CommentCount and Category.DiscussionCount

    But whenever you visit /yourforum.com/dba/counts those numbers are recalculated so that this should not keep you from working directly on the database.

  • eddieray7eddieray7 New

    Just for giggles I went to the forum/dba/counts page and clicked Start... it succeeded all but one recount and pops up an error for that one saying there's an invalid date "00/00/0000 00:00:00" in table Recalculate Discussion.DateLastComment. Sigh.

  • R_JR_J Admin

    By the way: I have managed to create a discussion as well as a comment with the API. My biggest problem has been that my page is htaccess protected and you cannot send two "Authentication" headers, which would be needed for the "Basic" htaccess authentication and the "Bearer" Vanilla access token.

    Therefore I have to use the "access_token" parameter.

    token="the token that you have to create in your profile"
url="https://example.com/api/v2"
htuser="myUser"
htpass="myPass"

curl \
    --insecure \
    -u "${htuser}:$htpass" \
    --header "Content-Type: application/json" \
    --request POST \
    --data @discussion.json \
    "${url}/discussions?access_token=$token"

curl \
    --insecure \
    -u "${htuser}:$htpass" \
    --header "Content-Type: application/json" \
    --request POST \
    --data @comment.json \
    "${url}/comments?access_token=$token"

    Here are the two json files

    comment.json
{
    "body": "[b]test[/b] :-)",
    "format": "BBCode",
    "discussionID": 187
}

discussion.json
{
    "name": "The Title",
    "body": "[b]test[/b] :-)",
    "format": "BBCode",
    "categoryID": "5"
}
  • eddieray7eddieray7 New

    Nice example!

    Have you gotten the "Authorization: Bearer " header to work if you disable the .htaccess login? I still haven't been able to get this to work using the header... only the GET/POST parameter.

  • R_JR_J Admin

    I haven't tried, no. But if I would, it would look like that:

    token="the token that you have to create in your profile"
url="https://example.com/api/v2"

curl \
    --insecure \
    --header "Authorization: Bearer $token"
    --header "Content-Type: application/json" \
    --request POST \
    --data @discussion.json \
    "${url}/discussions"
  • eddieray7eddieray7 New
    edited October 2018

    Okay... I tried a curl command like the above and I get a new error (returned in a 403 response) when querying categories:

    {
    "message": "Invalid CSRF token. Please try again.",
    "status": 403,
    "msg": "Invalid CSRF token. Please try again.",
    "code": 403,
    "except": [],
    "type": "!csrf",
    "description": null
}
  • R_JR_J Admin

    Please show the curl call that you have tried

Sign In or Register to comment.