PR: https://github.com/phpbb/phpbb/pull/3100
-----------
Abstract
A sort of API that enables users to interact with a phpBB forum from within other applications, such as for example a desktop application.
Further Description
I would like to see some kind of API in place to be able to interact with a forum in more ways than accessing it from the forum itself. It should allow developers to easily create an application, either dedicated to doing phpBB stuff for example a desktop client or a mobile client (what I understand from a friend of mine, this has already been discussed to a no but I do not know the exact details of it, but it's just an example I'm using) or a regular application that integrates phpBB in a way, maybe for integrated bug reporting in a game?
Suggested Usecases
- Dedicated desktop applications
- Mobile applications?
- A better integrated forum than a browser frame in, say, a game. It could be used for in-game discussion, easier bug-reporting (bug report could automatically be posted to correct forum upon user choosing to submit one)
- Integration with blogsystems/CMSes, an example if a news post is posted in the CMS, it could be automatically posted to a news forum as well
- More
Implement an API of some kind, JSON seems to be a reasonable choice seeing it being pretty common in other APIs and fairly easy to work with, but other, more suitable, if any, solutions could also work? It should be easy to use and understand. It should be able to be enabled/disabled trough the ACP in case the administrator runs ads on the board and don't want to lose impressions or for other reasons. It should be accessible to the users so the users easily can use a 3rd part application (much like the twitter API does it), maybe with some keypair solution instead of using passwords that might be insecure? Of course would board permissions still apply to the data returned by the API and what can be run. Also an ability to limit the API usage to certain groups may be a feature, like if the admin wants to implement point 3 of the suggested usecases but doesn't want users to use the API. This could be done by only accepting keypairs of users in the right groups (this could contribute to the "ad" issue I've heard of when dealing with APIs, users could pay/donate an amount to be able to access the API).
Suggested start of implementation
It would be nice to have some basic implementation with most basic features implemented, like ability to see posts and forums and post new topics/replies. Later more features could be added, like UCP, MCP and even ACP.
Sorry if I missed anything/I'm not clear on something, it's kinda late and I'm a bit tired
Current status
There are currently 2 pull requests: The first one is the original pull request, but it was decided it would be closed and smaller pull requests would be opened for each part, as the original had gotten pretty massive.
What exists in the original PR
The original pull requests contains a custom authentication system for the API and endpoints for listing forums, threads and post as well as submitting new topics and creating replies. This PR is pretty outdated right now since I've continued the work on the auth system in the newer PR, and things in phpBB has changed meaning the various endpoints probably wont work without changes (although I don't think they have to be redone from scratch, just updated).
The new PR
The new PR only contains the authentication system. The auth system is built upon the auth system I originally created, but some extra features have been added and bugs fixed, as well as updating it to work with new route system etc.
What needs to be done
There have been discussions in IRC and in this thread to implement OAuth2 as the auth system. This probably needs to be the next thing to do.
There are however some issues I have with OAuth2 that I describe in this post. To summarize is that I feel I lack the knowledge about OAuth2 to currently implement anything with it and I haven't had the time to look it up and how the different authentication strategies work. My vision of the API was to have a united API across all boards, and if OAuth2 can provide such strategy (where a developer doesn't need to register their application with every forum) it's all good.
Input needed
It would be nice with some input of what kind of API we actually want. I realized far too late that I probably wasn't very clear with what kind of API I personally wanted, one where a developer can create one application that works with every board (that has the API turned on, of course), and that's the reason why I didn't chose OAuth2 to begin with, as with my limited knowledge all I could see when reading about OAuth2 was strategies that required every application (client) to register themselves by the developer. If that's the case then it's against the vision I had from the start.
But it isn't up to me to decide if this is the API we want, since the API is a complex feature it needs to be decided what kind of API we want, if it should be an API that works everywhere without registering, or an API that only works on single forums where the client happens to be registered. Therefore I ask for ideas, input and knowledge about it