Support for authorization/application tokens and/or login

[JanWennrich]

Hello there,

since a few weeks the BoardGameGeek XML API requires authentication to use it: https://boardgamegeek.com/using_the_xml_api

When requesting data about your own account, it's sufficient to be logged in (send session cookies) when accessing the API.
When requesting data about other people, you have to send an application token via an Authorization header.

To keep using this library, it is necessary to be able to do this kind of authorization.
Are there any efforts planned to implement this in the near future?
If not, I'd be willing to contribute it via a pull request.

Implementation

Thinking about implementing this:
The current approach of using simplexml_load_file to query the API has to be replaced, because it does not support request headers.
The easiest solution would probably be using a HTTP request library (e.g. Guzzle). This would introduce additional dependencies to the project.
If no dependencies should be added, this could also be accomplished by using the curl_ methods of the cURL PHP extension. This would be more tedious.

Examples

Here are some examples on how to programmatically authenticate and query the API. These examples can be easily ported to PHP code to implement the missing feature.

Query your own plays:

Assuming your username is "FooBar", you can login and query your plays programmatically via curl like this:

curl 'https://boardgamegeek.com/login/api/v1' \
  --data-raw '{"credentials":{"username":"FooBar","password":"my-password123"}}'

The response to this login request contains the bggusername, bggpassword and SessionID cookies which can be used to authenticate against the XML API to query your own plays:

curl 'https://boardgamegeek.com/xmlapi2/plays?username=FooBar' \
        -b 'bggusername=FooBar; bggpassword=somehash123; SessionID=somesessionid123456'        

Query another persons plays

Assuming your username is "FooBar" and you have the application token 123-abc-456-789-def, you can programmatically query the plays of user "LoremIpsum" via curl like this:

curl 'https://boardgamegeek.com/xmlapi2/plays?username=Klabauterjan' \
        -H 'Authorization: Bearer 123-abc-456-789-def'

Disclaimer: Querying another persons plays is based on the BGG documentation and not tested by me as I do not have an application token (yet).

[nataniel]

Thanks for a very detailed breakdown of the changes. I will update the library soon.

[JanWennrich]

I just noticed that @castro732 implemented most of this in his fork: master...castro732:bggxmlapi2:master

It's just missing authentication via a session cookie.