where is the api docs for nodebb?

creatxr

where is the api docs for nodebb?

i want to know how to post to nodebb/login for authentication
and what's its response.

thanks.

julian

You can mimic a standard login by POSTing /login with username and password (and csrf token).

Otherwise, if you're looking to access protected user data via API, then you may want to look into Write API, which allows you to use bearer tokens to access user data.

creatxr

i write code like it's in the test .js below:

---

async function loginNodeBB(name,pass) {
	let jar = request.jar();
	let res = await request.post('https://localhost/login',{
			form: {
				username: name,
				password: pass
			},
			json: true,
			jar: jar,
			rejectUnauthorized: false,
			requestCert: true,
			agent: false,
			headers: {
			}
		});
	console.log(res.body);
}

loginNodeBB('creatxr','creatxr');

---

console message is:

username=creatxr&password=creatxr

it doesn't get the info if the user is authenticated or not !

creatxr

@julian

if i do like this

async function loginNodeBB(name,pass) {
	let jar = request.jar();
	let res = await request.post('https://172.16.220.133/login',{
			form: {
				username: name,
				password: pass
			},
			json: true,
			jar: jar,
			rejectUnauthorized: false,
			requestCert: true,
			agent: false,
			headers: {
			}
		},
			function (err, response, body) {
				console.log(body);
				console.log('1111111111111');
			}
		);
	console.log(res.body);
}

output is:

username=creatxr&password=creatxr
Forbidden
1111111111111

julian

Looks like you're not passing CSRF token in. You can get it by checking config.csrf_token on client side. Pass it in under x-csrf-token header.

creatxr

@julian

async function loginNodeBB(name,pass) {
	let jar = request.jar();
	let res = await request({
		url: 'https://172.16.220.133/api/config',
		json: true,
		jar: jar,
		rejectUnauthorized: false,
			requestCert: true,
			agent: false,
	}, function(err,res,body) {
		if(err) {
			console.log(err);
		}
console.log('11111111111111');
		request.post('https://172.16.220.133/login', {
				form: {
					username: name,
					password: pass,
				},
				json: true,
				jar: jar,
				rejectUnauthorized: false,
			requestCert: true,
			agent: false,
				headers: {
					'x-csrf-token': body.csrf_token,
				},
			}, function (err, res, body) {
				//callback(err, response, body, jar);
				console.log(err);
	//			console.log(res);
	//			console.log(jar);
			});
	}

	);
}

now i change like this,
even username or password is wrong,
the err always is 'null'
how can i know authentication is passed?

PitaJ

@creatxr res.statusCode

creatxr

@PitaJ

thanks.

if success, code is 200 ? i think i get it.
if not , code is 403 ? or maybe has others.

yariplus

Not to be picky, but request is not a Promise. async is doing nothing.

creatxr

@yariplus

yes, i know. i've tried. console print before data return.

i just want to know how the auth works, then to find the way to do what i want.

thanks

creatxr

it seems that 'jar' option is required. without it, even with csrf token, the reponse is '403 err'

creatxr

This post is deleted!

creatxr

This post is deleted!

creatxr

now the code below with axios is success.

const axiosCookieJarSupport = require('axios-cookiejar-support').default;
const tough = require('tough-cookie');
axiosCookieJarSupport(axios);
async function authNodeBB(name,pass) {
	let cookieJar = new tough.CookieJar();

	let instance = await axios.create({
		jar:cookieJar,
		withCredentials: true,
		httpsAgent: new https.Agent({ rejectUnauthorized: false, requestCert: true, keepAlive: true})
	});
	let res = await instance.get('https://172.16.220.133/api/config');
	console.log(res.data.csrf_token);

	instance.defaults.headers['x-csrf-token'] = res.data.csrf_token;

	res = await instance.post('https://172.16.220.133/login',{username:name,password:pass});

	console.log(res.statusCode);
	console.log(res);
}

creatxr

the code with promised request is success

async function authBB(name,pass) {
	let jar = requestPromise.jar();
	let res = await requestPromise({
					url: 'https://172.16.220.133/api/config',
					json: true,
					jar: jar,
					rejectUnauthorized: false,
					requestCert: true,
					agent: false,
				});
	console.log(res.csrf_token);



	res = await requestPromise.post('https://172.16.220.133/login', {
				form: {
					username: name,
					password: pass,
				},
				json: true,
				jar: jar,
				rejectUnauthorized: false,
				requestCert: true,
				agent: false,
				headers: {
					'x-csrf-token': res.csrf_token,
				},
	//			resolveWithFullResponse: true
			});

	console.log(res.header.user);
	console.log(res);
	console.log(res.statusCode);
}

creatxr

the code with python is success

#coding=utf-8

import requests

client = requests.session()
csrf = client.get(url='https://172.16.220.133/api/config', verify=False).json()["csrf_token"]

print csrf

r = client.post(url='https://172.16.220.133/login', verify=False, data={'username':'creatxr', 'password':'creatxr'}, headers={'x-csrf-token': csrf})
print r.content

julian

Glad to hear it

aneeeshp

@creatxr @julian Just tried this code, but, 'csrf_token' value is false. uid value is -1.

Tried the same query from a web browser, this time there is a csrf_token token returned and uid value is 0.

Why is this difference? How to avoid this in the python code?

baris

If you are getting uid===-1 on the /api/config route it means your request was classified as a spider. https://github.com/NodeBB/NodeBB/blob/master/src/routes/authentication.js#L38