I want to modify the front end, but I don’t know how to modify it

LF_Mcxixif_

I want to use the API to implement the following functions, can someone provide me with some examples?

Register a new user
Modify user password
Modify user avatar URL

thank you very much! 😀

clarkwinkelmann

LF_Mcxixif_ it's something along these lines:

POST /api/users
{
    "data": {
        "attributes:" {
            "username": "username",
            "email": "email",
            "password": "password"
        }
    }
}

Password change can only be done if the request is made with an admin access token, otherwise normal users can only request a password change by email.

LF_Mcxixif_ Modify user avatar URL

That's not possible with native REST API. Absolute URLs as avatars can only be set via the database directly. You'll need to use the Extension API to allow setting URLs via the REST API.

LF_Mcxixif_

clarkwinkelmann
Is the request header set like this? Where "xxxxxxx" is api_key

LF_Mcxixif_

clarkwinkelmann
I use the API to implement these functions, which I want to use when registering users on my main site

clarkwinkelmann

LF_Mcxixif_ I believe the header is called Authorization

For the content-type form-urlencoded might work but I recommend you use JSON. It will be complicated to encode the nested objects and preserve value types otherwise.

LF_Mcxixif_

clarkwinkelmann
What is the situation?

clarkwinkelmann

LF_Mcxixif_ it's Authorization header. "Authentication" isn't a thing.

The CSRF error means it couldn't find any API token in your request, so it's defaulting to looking for a CSRF token, which obviously isn't present when making requests from a script.

ddeeffw

i have a stupid way to solve your first question, you can find a place to insert a javascript like

document.addEventListener('DOMContentLoaded', () => {
  let el = document.querySelector('xxx'); // button you want to hide
  el?.parentNode.removeChild(el)
})

i don't know if it really works 🤣

LF_Mcxixif_

clarkwinkelmann
Oops, I confuse them! Now I have successfully created a new user, but the Json he returned is

{"errors": [{"status": "500","code": "unknown"}]}

In addition, I want to update the user avatar via POST /api/users/:id/avatar, what data should I send?
The user’s images are all in the form of URLs

SKevo

LF_Mcxixif_ In addition, I want to update the user avatar via POST /api/users/:id/avatar, what data should I send?
The user’s images are all in the form of URLs

You must download the images first and POST them as bytes to the /api/users/:id/avatar route with the following data: { avatar: <binary> }. It has to be encoded as form-data/multipart, I think. Sending URL strings is not supported by Flarum, as they won't be downloaded and converted to actual images by it (as far as I know)

A handy hack is to open up browser's dev tools, go to the network page and start recording all requests, then perform an action. I use it all the time when I need to figure out where to send what during the development of my Python API client

LF_Mcxixif_

SKevo
Then I think it is easier to modify the database directly

So how to modify the user's password through API?

SKevo

LF_Mcxixif_ You can't change it directly from the API and all that you can do is send a password reset E-mail for yourself. To do that, just send a PATCH request to /api/users/:id with JSON { email: <your E-mail> }. I haven't tested this yet because I'm on my mobile right now, but that's what I have on my GitHub

LF_Mcxixif_

SKevo Then I want to know, what is Flarum's password encryption method? Maybe I can modify the user's password by modifying the database.

SKevo

LF_Mcxixif_ yes, that's definitely possible. Flarum uses bcrypt for password encryption. We (FreeFlarum) use Python's bcrypt package to hash passwords and put them into database. The default settings are fine with no rounds or indent specified - Flarum handles it just fine. You might want to check how the package works though, as the default settings might be different for PHP?

Also, I recommend you to edit the database directly when creating a Flarum extension. Things are easier, as you shouldn't trust client's JS, because opening devtools allows them to send custom data. It's always better to handle it in the backend instead.

LF_Mcxixif_

SKevo What function does he use?
For example, md5(md5($password).salt) in PHP

SKevo

LF_Mcxixif_
I am not a PHP developer, so I can't help you with the PHP code, sorry. There is definitely some PHP bcrypt package that Flarum is using, you could check Flarum's dependencies and source code

LF_Mcxixif_

SKevo I made a trick myself, and use the PHP function password_hash("$password", PASSWORD_DEFAULT); to generate $2y$10$xxxxxxxxxxxxxxxxxx

After verification, it is indeed the password

clarkwinkelmann

You can use any PHP hash supported by PHP's password_hash. The first few bytes of the hash specify the algorithm and the number of rounds, and Flarum will automatically use those parameters even if it's different from Flarum's own defaults.

Any bcrypt library in another programming language should be compatible.

SKevo You can't change it directly from the API and all that you can do is send a password reset E-mail for yourself

When making the request as an admin, you can actually set the password directly. It's a very similar payload as my previous example, just PATCH /api/users/<id> with a JSON payload of data.attributes.password. When changing the password via the REST API like this you don't need to hash it, Flarum will to it from the plaintext password.

SKevo

clarkwinkelmann When making the request as an admin, you can actually set the password directly. It's a very similar payload as my previous example, just PATCH /api/users/<id> with a JSON payload of data.attributes.password. When changing the password via the REST API like this you don't need to hash it, Flarum will to it from the plaintext password.

Ah indeed, but I was assuming that the user has not the "Edit Credentials" permission, and like you mentioned - this applies only for admins (or users with the permission). But technically yes, it is possible to edit the password this way, sorry for the confusion