MyBB PHP API - For easy interfacing with desktop applications.
#1
This API is absolutely outdated, and as such should never be used in a production environment.


This is an early build of the API, I am in no way responsible for any damages caused by the use or misuse of this API.
The API is designed specifically to NOT display any sensitive information (such as passwords) and any information presented by the API is encrypted.
Keep your API key safe and don't tell anyone that doesn't need to know!


Encryption:
The API uses TripleDES as its encryption algorithm. It uses the Rijndael version in CBC cipher mode. The Key is 32 character, and the IV is 32 characters (providing 256 bits of encryption). The data is "zero" padded. The "API Key" is actually the Key followed by the IV (32 character key, followed by 32 character IV). This method is fast, secure and allows multiple platforms to communicate securely. The algorithm (3DES) is used in the banking
industry for the transfer of PIN codes between merchant and Bank!


You can get the following information from the API:
  1. Salt Information
  2. User Validation
  3. Settings Information
  4. User information
  5. ThreadListings
  6. Subforum Listings
  7. Thread Information and Post lists

1. The User Salt--
This is the MyBB salt fom the database, you ned to supply a UID for this. The salt is needed when you are asking the API to validate a password
as the password needs to be hashed (in the normal mybb way) on the client side, before being encrypted and passed to the API.

EG URL String:
http://mysite.com/mybb/api.php?action=salt&uid=1




2. Password Validation--
The API is capable of validating any password from a given username. The username and password hash given should both be encrypted. The password
hash needs to be generated on the client side BEFORE encryption and sending. This is to prevent the sending of plaintext passwords
(although behind encryption) to the API.

Hash Generation:
MyBB uses the following hash generation algorithm (PHP Syntax):

md5(md5($salt).md5($password))

EG URL String:
http://mysite.com/mybb/api.php?action=va...RYPTEDHASH




3. Getting Settings--
The API also allows you to retreive all setting information held within the "Settings" table of MyBB. The settings are returned, encrypted, in the
following xml format string:

<root><settings><s_SETTINGNAME>SETTINGDATA</s_SETTINGNAME></settings></root>

EG URL String:
http://mysite.com/mybb/api.php?action=settings




4. Getting User Info--
Use information can also be pulled using the API. All information from the users table is used, apart fom the "password" field, containing the
user hash. This was done for security purposes. The username should be passed ot the API encrypted.

The data is returned in the following XML string format:

<root><user><u_USERFIELD>DATA</u_USERFIELD></user></root>

EG URL String:
http://mysite.com/mybb/api.php?action=us...EDUSERNAME




5. Thread Listings
This feature mimics the forumdisplay.php output, offering thread listings. It has a number of options to customize the output.
The request should be made in plain text, no need for encryption with this call.

Options:
  • "fid"  => The mandatory field, the API will return 0 if one is not specified.
  • "page" => The page number, the effect of this option is altered by the "num" option. If a page number is selected that doesn't
    exist, the page will be set to 0.
  • "num"  => The number of threads to display on each page. If no numerb is specified, 10 are shown.
  • "sort" => The sorting field to use.If no sort is specified, "lastpost" is used. This has a number of options:
    • "lastpost" = The date of the last post
             
    • "subject" = The alphabetical title of the subject
             
    • "replies" = The number of replies
             
    • "views" = The number of views
             
    • "username" = The alphabetical username
             
    • "averagerating" = The average user rating
             
    • "dateline" = The date of original posting
    • "order" => The order to sort in. This should be "ASC" or "DESC" (capitalized). If no order is specified, DESC is used.

The response is, again, in the form of an XML string in the following format:

<root><t_INCREMENTEDCOUNT><FIELD>DATA</FIELD></t_INCREMENTEDCOUNT></root>
NOTE: The "INCREMENTEDCOUNT" goes from  upwards, so "t_0" -> "t_1" -> "t_2" etc...

EG URL String:
http://mysite.com/mybb/api.php?action=fo...der={ORDER}


NOTE: The paramters can be passed in any order, and any missed parameters will result in default values being used.



6.Subforum Listings
This allows you to determine if a given forum has any subforums, and if so, allows you to display information on them.
All information is passed with this request, in an encrypted format. The return is sent back as an XML string as follows:

<root><f_{COUNT}><{FIELD}>{DATA}</{FIELD}></f_{COUNT}></root>

NOTE: The f_{COUNT} element is used because a single forum may have multiple subforums.

EG URL String:
http://mysite.com/mybb/api.php?action=su...s&fid={FID}


7. Thread information and PostLists
This call has two options that present very different data. The first is information on the given thread (default if no option is designated)
and the second is a list of posts within that thread, with relevant information.

Options:
  • "info"     => The default option, giving information on the thread ID given.
  • "postlist" => Gives a list of posts, along with all information on those posts.

The data is returned in one of 2 XML strings:

- Using the "info" switch:


<root><thread><t_{FIELD}>{DATA}</t_{FIELD}></thread></root>

- Using the "postlist" switch:


<root><postlist><p_{COUNT}><{FIELD}><{DATA}</{FIELD}></p_{COUNT}></postlist></root>

EG URL String:
http://mysite.com/mybb/api.php?action=th...}&tid={TID}


This is a brief overview of the API so far, expect more features to come!


Downloads:

The API:
Use this for any projects Smile
[attachment=25546]

.NET Library & Test App
Library: [attachment=25547] (requires .NET 2.0)
Test App: [attachment=25548] (requires .NET 3.5)
Note: Realistically, any application needs to be written in .NET 3.5 or above to be compatible because of the use of dictionaries and lists.


If anybody would like to, you can write libraries in any language to interface with this API! It would be great Smile
Reply
#2
Great work .. { may be I test it later & provide feedback }
Reply
#3
This user has been denied support. This user has been denied support.
Looks very nice Tom, nice work.
Reply
#4
Very cool. Thank you.
[Image: signature.php?uid=1]
Reply
#5
(2012-02-16, 11:16 PM)Tom K. Wrote: Encryption:
The API uses TripleDES as its encryption algorithm. It uses the Rijndael version in CBC cipher mode. The Key is 32 character, and the IV is 32 characters (providing 256 bits of encryption). The data is "zero" padded. The "API Key" is actually the Key followed by the IV (32 character key, followed by 32 character IV). This method is fast, secure and allows multiple platforms to communicate securely. The algorithm (3DES) is used in the banking
industry for the transfer of PIN codes between merchant and Bank!
I recommend you read up and learn more about encryption before making such statements, as there is a lot of misinformation in there.
For example, Rijndael is AES, not 3DES - you really shouldn't be using the latter as AES was designed to replace 3DES. 3DES is primarily useful in legacy applications (eg various banks) for compatibility - it has nothing to do with being a good cipher (though it's considered secure, AES is better).
IVs do not need to be secret (ie do not provide key-level security) but must be random. Non-random IVs, as you've used in this case, actually reduce security.

Personally, I don't think you should be using private key crypto like this, but then, it's just an API, so meh.
Reply
#6
Sorry for reviving this thread.

So, the plugin is installed, all is good. When going to a URL, it has just a bunch of random numbers and letters, I'm guessing this is the encryption.

But, er, how do you unencrypt it?
Reply
#7
I'm receiving "Invalid Character in Base-64 string" when trying to use any of the testapp's function.. Any help? Sorry for reviving btw, really need this.
Reply
#8
1. It's a thread for 1.6, things may have changed in 1.8.
2. You should have rather "revived" this: http://community.mybb.com/thread-158428.html since the author is (still?) looking for testers,
Reply
#9
How do I generate an API for this? I can't seem to find any documentation on it
Reply
#10
(2017-06-27, 12:33 AM)Thaisen Wrote: How do I generate an API for this? I can't seem to find any documentation on it

This thread is half a decade old, and no longer works with myBB. MyBB has no API other than through plugins.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)