Having an issue where I have a XF 1.5.6 installation at localhost/xenforo, with the API add-on (1.4.7) installed, .htaccess copied to localhost/xenforo/api, and the cookie path set to /. When I log into the XF installation everything is fine, but when I use the API it treats me as an unregistered user. For example, going to http://localhost/xenforo/api/users/me (when signed in) returns: Code: {"errors":["You must be a logged-in, registered member of this site to perform this action."]} Is there anything obvious I'm missing?
The API does not authenticate with the cookie session at all. You need to obtain and access token to authenticate as user via API.
Ah, thanks - that makes sense! In that case, should this return a valid result? I created a token in the admin CP with all permissions (3910b71caad309f1b4a12d396710ce71efa746a9), this is what my OAuth client's request looks like: http://localhost/xenforo/api/users/me?access_token=3910b71caad309f1b4a12d396710ce71efa746a9 But it still returns a no permission error. (As in my first post.)
For some reason the client I'm using uses access_token, but at least I can easily code a workaround for that. Thanks so much!
xfrocks @jarua Yes, that's common. Some client allows developer to configure parameter name. You can also try to use the Authentication header, should be easier (depending on your client of course).
Unfortunately it wasn't a configurable parameter name, but I coded a hacky solution for it. (Just concerned with getting it working at the moment!) One thing I noticed that was behaving a little weirdly, for my client settings I have "Automatically authorize READ-scope" enabled, but when a client tries the user/me request, it gets the following error: Code: ["error"] => string(32) "Scope read has not been granted." Presumably that setting is supposed to grant read access for all requests?
Nope, that settings is only let user bypass the authorization form. For example, if you enable auto grant for read and post and some client requests read, post + converse scope. User will only need to authorize the converse scope (the other 2 are granted automatically).