Create a API script

[dam034]

Dear users,

I want to create APIs for my MTASA Server, as FB apis o Google apis.

Example: without an HTTP autenthication, requesting GET http://server-ip:22005/api?what=userlist I want to retrieve (in JSON) the list of the connected users to my server, or requesting POST http://server-ip:22005/api with fields what=wheater&number=4 I want to execute setWeather(4) on my server.

Someone can help me how to create a resource which does this?

 

Thanks

[Addlibs]

<!-- meta.xml -->
<html src="call.htm" />

<!-- call.htm -->
<*
   if (form["do"] == "setweather") then
      httpWrite(setWeather(form["weather"]) and "SUCCESS" or "FAILED")
   elseif (form["do"] == "getweather") then
      httpWrite(getWeather())
   end
*>

You should be able to GET/POST http://ip:port/(resourcename)/call.htm?do=setweather&weather=4 and it'll respond with either "SUCCESS" or "FAILED". However, this was written just using my memory, and haven't been tested.

[dam034]

I have this questions:

1. to visit the resource via web I need HTTP authentication?
2. what is "form" variable?
3. by force HTML has to be the API page?

 

 

Thanks

[Addlibs]

HTTP Authentication can be disabled if you allow access to general.http in the ACLs for Default ACL. This, however, allows access to anyone to any part of the HTTP interface so you should either turn off anything that's restricted access, or don't disabled the HTTP authentication. You can always just add authentication within the URL (i.e. http://username:password@ip:port/api/call.htm)

I have no idea whether .htm or .html is required. You could try it without and let us know.

[dam034]

On 23/9/2017 at 11:08, MrTasty said:

HTTP Authentication can be disabled if you allow access to general.http in the ACLs for Default ACL. This, however, allows access to anyone to any part of the HTTP interface so you should either turn off anything that's restricted access, or don't disabled the HTTP authentication. You can always just add authentication within the URL (i.e. http://username:password@ip:port/api/call.htm)

Yes, I understand. How can I grant the HTTP access to anyone only to this recource, and set HTTP authentication to visit the others?

On 23/9/2017 at 11:08, MrTasty said:

I have no idea whether .htm or .html is required. You could try it without and let us know.

I want to remove the extension, can I? (e.g. http://server-ip:22005/myres/call?do=weather)

 

 

Thanks

[Addlibs]

Alright, I've checked the following:

• The HTML file does not have to have .htm or .html at the end, you can remove it and it'll still work and process Lua correctly.
• You can grant public access to a HTTP resource, by adding the following right in the Default ACL: resource.(resourcename).http (this is an ACL right, not an object of an ACL group)
  • However, I would still advise you to just add an account for "remote", place it within an elevated ACL group, for example, RPC (or your own ACL group) and add the aforementioned right only to that ACL instead of making it public. Then just connect to the HTTP as follows: http://remote:(remoteaccountpassword)@(serverip):(serverhttpport)/(resourcename)/call?do=(whatever)

Edited September 24, 2017 by MrTasty

[dam034]

51 minutes ago, MrTasty said:

The HTML file does not have to have .htm or .html at the end, you can remove it and it'll still work and process Lua correctly.

So I have to create a file with any extension (like json), and add it in meta.xml

<html src="api.json" />

Is it right?

51 minutes ago, MrTasty said:

You can grant public access to a HTTP resource, by adding the following right in the Default ACL: resource.(resourcename).http (this is an ACL right, not an object of an ACL group)

However, I would still advise you to just add an account for "remote", place it within an elevated ACL group, for example, RPC (or your own ACL group) and add the aforementioned right only to that ACL instead of making it public. Then just connect to the HTTP as follows: http://remote:(remoteaccountpassword)@(serverip):(serverhttpport)/(resourcename)/call?do=(whatever)

 

So, if I understood right: I have to create an user in MTA console called "forapis" (or as I want), set its password and grant to the resource only the rights as I want to use in the API, avoiding security flaws. When I'll use php curl library to call the API, I'll call http://forapis:mypw@ip:port/resname/api?do=myaction. Did I understand well?

 

Thanks

[Addlibs]

You have to remove the extension from the file name, and correct the meta.xml too.

<html src="call" /> <!-- no file extension, since the actual file doesn't have it -->

And then place it in a resource such as "api". Then you access it like so: http://forapis:yourpw@ip:port/api/call?whateveryouwanthere

Edited September 24, 2017 by MrTasty

[dam034]

Thanks for the help! Another thing: where is the documentation about the "form" variable?

[Addlibs]

Right here: https://wiki.multitheftauto.com/wiki/Resource_Web_Access#Parsed_files

Quote

table form: This is a table containing all the form data submitted to the page using HTTP POST combined with any variables passed in the querystring with HTTP GET.

Edited September 24, 2017 by MrTasty

[obuhhh]

I think this topic should be pinned...