Authentication
First of all, Xenforo always requires you to use an xf_session Cookie in your calls, so we'll need to acquire that first.
Because the smallest page I know about is "https://gbatemp.net/dynamic/", we'll make a request to it with an empty cookie store. After the request was made, store the "xf_session" cookie somewhere, where you can access it in your requests. You'll NEED to include this data as cookie in all your requests!
Logging in
To log in, you'll need to POST a form to "https://gbatemp.net/login/login", with POST parameters login=<URLEncoded username>&password=<URLEncoded password>®ister=0&cookie_check=1&_xfToken=&redirect=%2F
Example: my username is "MarcusD", and my password is "kekeke/index.php"
login=MarcusD&password=kekeke%2Findex.php®ister=0&cookie_check=1&_xfToken=&redirect=%2F
If the response doesn't set a new xf_session cookie, then you can match the response body for the error message by getting the value between <span class="errors"> and </span>, and interrupt the login process; display error if matched the error message, otherwise display a generic error message. Otherwise, store the new value, replacing the old value.
Java: "<span class=\\\"errors\\\">([^<]*)</span>"
PHP: "/<span class=\\"errors\\">([^<]*)<\/span>/"
Now, make another call to "https://gbatemp.net/dynamic/", and using some kind of Regex, match the body for _csrfToken: "user token here"
Java: "_csrfToken: \\\"([^\\\"]*)\\\""
PHP: "/_csrfToken: \\"([^\\"]*)\\"/"
If there's no value between the quotes (so _csrfToken: "" is the response), then interrupt the login process, and display a generic error message.
If you matched a token, then store it somewhere accessible by every request you make, because you MUST include it in every response you make as an URLEnoded GET/POST parameter as _xfToken
Bad example: php.php?lel=lol&_xfToken=numbers%2CSomeHashHere%2CanotherHash
If you got here, then test the validity of the stored data by getting the notification count, which is explained a little bit later below.
Logging off
https://gbatemp.net/logout/?_xfToken=token
Session upkeep (not fully RE'd)
POST
http://gbatemp.net/login/csrf-token-refresh
_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json&_xfToken=URLEncoded_old_xfToken
Refreshes your xf_session cookie, and somehow get the refreshed _xfToken from the response
API calls
Notification / Message count
POST "https://gbatemp.net/index.php?liveupdate" _xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json&_xfToken=URLEncoded_xfToken
Example response on success
Response on fail
Note: NEVER check by string comparing! Use Regex!
Getting notification/message list
Note: you are getting the notification list in HTML, so you'll need heavy parsing methods to extract the useful info from it.
GET https://gbatemp.net/account/alerts-popup?_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json&_xfToken=URLEncuded_xfToken
Match for errors first; check if the response contains ( "errorOverlayType": ). If it does, interrupt the process, most likely your token expired, or it's invalid.
Match the whole value between ( "templateHtml":" ) and ( ","css" )
For the private messages, just replace the underlined part with https://gbatemp.net/conversations/popup
That's all I know right now
First of all, Xenforo always requires you to use an xf_session Cookie in your calls, so we'll need to acquire that first.
Because the smallest page I know about is "https://gbatemp.net/dynamic/", we'll make a request to it with an empty cookie store. After the request was made, store the "xf_session" cookie somewhere, where you can access it in your requests. You'll NEED to include this data as cookie in all your requests!
Logging in
To log in, you'll need to POST a form to "https://gbatemp.net/login/login", with POST parameters login=<URLEncoded username>&password=<URLEncoded password>®ister=0&cookie_check=1&_xfToken=&redirect=%2F
Example: my username is "MarcusD", and my password is "kekeke/index.php"
login=MarcusD&password=kekeke%2Findex.php®ister=0&cookie_check=1&_xfToken=&redirect=%2F
If the response doesn't set a new xf_session cookie, then you can match the response body for the error message by getting the value between <span class="errors"> and </span>, and interrupt the login process; display error if matched the error message, otherwise display a generic error message. Otherwise, store the new value, replacing the old value.
Java: "<span class=\\\"errors\\\">([^<]*)</span>"
PHP: "/<span class=\\"errors\\">([^<]*)<\/span>/"
Now, make another call to "https://gbatemp.net/dynamic/", and using some kind of Regex, match the body for _csrfToken: "user token here"
Java: "_csrfToken: \\\"([^\\\"]*)\\\""
PHP: "/_csrfToken: \\"([^\\"]*)\\"/"
If there's no value between the quotes (so _csrfToken: "" is the response), then interrupt the login process, and display a generic error message.
If you matched a token, then store it somewhere accessible by every request you make, because you MUST include it in every response you make as an URLEnoded GET/POST parameter as _xfToken
Bad example: php.php?lel=lol&_xfToken=numbers%2CSomeHashHere%2CanotherHash
If you got here, then test the validity of the stored data by getting the notification count, which is explained a little bit later below.
Logging off
https://gbatemp.net/logout/?_xfToken=token
Session upkeep (not fully RE'd)
POST
http://gbatemp.net/login/csrf-token-refresh
_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json&_xfToken=URLEncoded_old_xfToken
Refreshes your xf_session cookie, and somehow get the refreshed _xfToken from the response
API calls
Notification / Message count
POST "https://gbatemp.net/index.php?liveupdate" _xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json&_xfToken=URLEncoded_xfToken
Example response on success
JSON:
{"status":"ok","message":"Request Completed Successfully.","_visitor_conversationsUnread":"0","_visitor_alertsUnread":"0"}
Response on fail
JSON:
{"status":"ok","message":"Request Completed Successfully."}
Note: NEVER check by string comparing! Use Regex!
Getting notification/message list
Note: you are getting the notification list in HTML, so you'll need heavy parsing methods to extract the useful info from it.
GET https://gbatemp.net/account/alerts-popup?_xfRequestUri=%2F&_xfNoRedirect=1&_xfResponseType=json&_xfToken=URLEncuded_xfToken
Match for errors first; check if the response contains ( "errorOverlayType": ). If it does, interrupt the process, most likely your token expired, or it's invalid.
Match the whole value between ( "templateHtml":" ) and ( ","css" )
For the private messages, just replace the underlined part with https://gbatemp.net/conversations/popup
That's all I know right now