This wiki has been automatically closed because there have been no edits or log actions made within the last 60 days. If you are a user (who is not the bureaucrat) that wishes for this wiki to be reopened, please request that at Requests for reopening wikis. If this wiki is not reopened within 6 months it may be deleted. Note: If you are a bureaucrat on this wiki, you can go to Special:ManageWiki and uncheck the "Closed" box to reopen it.

X-CSRF-Token

From RoAPI
Revision as of 13:07, 29 December 2021 by Zambi (talk | contribs) (print status code in lu wow)

At this point, we’re now authenticated - but there’s one thing missing. If we try to send a POST request, you’ll notice that the request still fails.

Here's an example of some code that won't work due to the X-CSRF-Token:

import requests

cookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_RestOfCookieGoesHere"

session = requests.Session()
session.cookies[".ROBLOSECURITY"] = cookie
req = session.post(
    url="https://auth.roblox.com/"
)

print(req.status_code)  # output the status code
print(req.json()["errors"][0]["message"])  # output the error message
# Uses the http.rb gem. Run "gem install http" on your terminal to install it
require "http"
require "json"

COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

response = HTTP.cookies({
    :".ROBLOSECURITY" => COOKIE
}).post("https://auth.roblox.com")

puts response.status # Print the status code
puts JSON.parse(response)["errors"][0]["message"] # Print the error message
const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch("https://auth.roblox.com", {
    headers: {
        Cookie: `.ROBLOSECURITY=${COOKIE};`,
        "Content-Length": "0",
    },
    method: "POST",
});
const body = await response.json();

console.log(response.status);
console.log(body["errors"][0]["message"]);
// npm install node-fetch
import fetch from "node-fetch"

const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch("https://auth.roblox.com", {
    headers: {
        Cookie: `.ROBLOSECURITY=${COOKIE};`,
        "Content-Length": "0",
    },
    method: "POST",
});
const body = await response.json();

console.log(response.status);
console.log(body["errors"][0]["message"]);
/*
    Cargo.toml dependencies:
    reqwest = { version = "0.11.4" }
    tokio = { version = "1.11.0", features = ["macros", "rt-multi-thread"]}
    serde_json = { vesion = "1.0.67"}
*/
use reqwest::header::{HeaderMap, HeaderValue};
use reqwest::Client;
use serde_json::{from_str, Value};

const COOKIE: &str = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

#[tokio::main]
async fn main() {
    let client = Client::new();
    let mut headers = HeaderMap::new();
    headers.insert(
        "Cookie",
        HeaderValue::from_str(&format!(".ROBLOSECURITY={};", COOKIE)).unwrap(),
    );
    headers.insert("Content-Length", HeaderValue::from_str("0").unwrap());

    let response = client
        .post("https://auth.roblox.com")
        .headers(headers)
        .send()
        .await
        .unwrap();

    let status = response.status(); // that feel when .text() consumes the response
    let body: Value = from_str(&response.text().await.unwrap()).unwrap();

    println!("{}", status);
    println!("{}", body["errors"][0]["message"]);
}
local HttpService = game:GetService("HttpService")

-- when inputting your cookie, remove the _|  |_ part
local COOKIE = ""
local headers = {
	Cookie = string.format(".ROBLOSECURITY=%s", COOKIE)
}

local request = HttpService:RequestAsync({
	Method = "POST",
	Url = "https://rprxy.deta.dev/auth", -- public proxy that should not be used in production
	Headers = headers
})

print(request.StatusCode)
print(HttpService:JSONDecode(request.Body).errors[1].message)
// Uses the Netwonsoft.Json package. Run "dotnet add package Newtonsoft.Json --version 13.0.1" on your terminal to install it.
using System.Net;
using Newtonsoft.Json;

const string roblosecurity = "cookie";

CookieContainer cookies = new CookieContainer();
cookies.Add(new Cookie(".ROBLOSECURITY", roblosecurity, "/", "roblox.com"));
HttpClient httpClient = new HttpClient(new HttpClientHandler()
{
    CookieContainer = cookies
});

HttpResponseMessage response = await httpClient.PostAsync("https://auth.roblox.com", null);
dynamic body = JsonConvert.DeserializeObject(await response.Content.ReadAsStringAsync()) ?? throw new Exception("Unable to deserialize body");

Console.WriteLine(response.StatusCode);
Console.WriteLine(body["errors"][0]["message"]);

This code should output something like the following:

403
Token Validation Failed

The 403 Forbidden status code is returned when the client "is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account".

If you saw this while trying to write your own code to access the API, you might ask "why is this error coming up? My .ROBLOSECURITY token is correct, and it worked when I used the "Try it out!" button on the documentation page."

The truth is that this error message isn’t referring to "token" as in your .ROBLOSECURITY token - it’s actually referring to a header that you have to supply to all requests that change data called the X-CSRF-Token.

To handle this token, each time we send a request, we'll save the X-CSRF-Token - which is present in the response headers - to a value. Then, if the request failed with a status code of 403, we'll send the request again with the X-CSRF-Token we just got the first request as a request header.

# With the Session object, we can just store the token in the headers dictionary, but you can pass them directly to each request as well.
import requests

cookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_Token"

session = requests.Session()
session.cookies[".ROBLOSECURITY"] = cookie

# send first request
req = session.post(
    url="https://auth.roblox.com/"
)

if "X-CSRF-Token" in req.headers:  # check if token is in response headers
    session.headers["X-CSRF-Token"] = req.headers["X-CSRF-Token"]  # store the response header in the session

# send second request
req2 = session.post(
    url="https://auth.roblox.com/"
)

print("First:", req.status_code)
print("Second:", req2.status_code)
# Uses the http.rb gem. Run "gem install http" on your terminal to install it
require "http"
require "json"

COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

client = HTTP.cookies({
    :".ROBLOSECURITY" => COOKIE
})

first_response = client.post("https://auth.roblox.com")

client = client.headers({
    :"x-csrf-token" => first_response.headers["x-csrf-token"]
})

second_response = client.post("https://auth.roblox.com")

puts "First: #{first_response.status}"
puts "Second: #{second_response.status}"
const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const firstResponse = await fetch("https://auth.roblox.com", {
    headers: {
        Cookie: `.ROBLOSECURITY=${COOKIE};`,
        "Content-Length": "0",
    },
    method: "POST",
});

const secondResponse = await fetch("https://auth.roblox.com", {
    headers: {
        Cookie: `.ROBLOSECURITY=${COOKIE};`,
        "x-csrf-token": firstResponse.headers.get("x-csrf-token")!,
        "Content-Length": "0",
    },
    method: "POST",
});

console.log(`First: ${firstResponse.status}`);
console.log(`Second: ${secondResponse.status}`);
// npm install node-fetch
import fetch from "node-fetch"

const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const firstResponse = await fetch("https://auth.roblox.com", {
    headers: {
        Cookie: `.ROBLOSECURITY=${COOKIE};`,
        "Content-Length": "0",
    },
    method: "POST",
});

const secondResponse = await fetch("https://auth.roblox.com", {
    headers: {
        Cookie: `.ROBLOSECURITY=${COOKIE};`,
        "x-csrf-token": firstResponse.headers.get("x-csrf-token"),
        "Content-Length": "0",
    },
    method: "POST",
});

console.log(`First: ${firstResponse.status}`);
console.log(`Second: ${secondResponse.status}`);
/*
    Cargo.toml dependencies:
    reqwest = { version = "0.11.4" }
    tokio = { version = "1.11.0", features = ["macros", "rt-multi-thread"]}
*/
use reqwest::header::{HeaderMap, HeaderValue};
use reqwest::Client;

const COOKIE: &str = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

#[tokio::main]
async fn main() {
    let client = Client::new();
    let mut headers = HeaderMap::new();
    headers.insert(
        "Cookie",
        HeaderValue::from_str(&format!(".ROBLOSECURITY={};", COOKIE)).unwrap(),
    );
    headers.insert("Content-Length", HeaderValue::from_str("0").unwrap());

    let first_response = client
        .post("https://auth.roblox.com")
        .headers(headers)
        .send()
        .await
        .unwrap();

    let mut headers = HeaderMap::new();
    headers.insert(
        "Cookie",
        HeaderValue::from_str(&format!(".ROBLOSECURITY={};", COOKIE)).unwrap(),
    );
    headers.insert("Content-Length", HeaderValue::from_str("0").unwrap());
    headers.insert(
        "x-csrf-token",
        HeaderValue::from_str(
            first_response
                .headers()
                .get("x-csrf-token")
                .unwrap()
                .to_str()
                .unwrap(),
        )
        .unwrap(),
    );

    let second_response = client
        .post("https://auth.roblox.com")
        .headers(headers)
        .send()
        .await
        .unwrap();

    println!("First: {}", first_response.status());
    println!("Second: {}", second_response.status());
}
--!strict
local HttpService = game:GetService("HttpService")

-- when inputting your cookie, remove the _|  |_ part
local COOKIE = ""
local headers = {
	Cookie = string.format(".ROBLOSECURITY=%s", COOKIE)
}

local response1 = HttpService:RequestAsync({
	Method = "POST",
	Url = "https://rprxy.deta.dev/auth", -- public proxy that should not be used in production
	Headers = headers
})

headers["x-csrf-token"] = response1.Headers["x-csrf-token"]

local response2 = HttpService:RequestAsync({
	Method = "POST",
	Url = "https://rprxy.deta.dev/auth", -- public proxy that should not be used in production
	Headers = headers
})

print("First: " .. response1.StatusCode)
print("Second: " .. response2.StatusCode)
using System.Net;

const string roblosecurity = "cookie";

CookieContainer cookies = new CookieContainer();
cookies.Add(new Cookie(".ROBLOSECURITY", roblosecurity, "/", "roblox.com"));
HttpClient httpClient = new HttpClient(new HttpClientHandler()
{
    CookieContainer = cookies
});

HttpResponseMessage firstResponse = await httpClient.PostAsync("https://auth.roblox.com", null);
httpClient.DefaultRequestHeaders.Add("x-csrf-token", firstResponse.Headers.GetValues("x-csrf-token").First());

HttpResponseMessage secondResponse = await httpClient.PostAsync("https://auth.roblox.com", null);

Console.WriteLine($"First: {firstResponse.StatusCode}");
Console.WriteLine($"Second: {secondResponse.StatusCode}");

This program will send one request, check if the X-CSRF-Token was present in the response, and if so will store it back into the session's headers. We then repeat the first request again, and then outputs the status codes from both requests.

This code should output something like the following:

First: 403
Second: 200

This solution works - but it doesn't scale well. If we want to properly do this, we’ll put all of this logic in a function that handles our requests for us and then call that when sending requests. This is (essentially) what the request wrappers in Roblox API wrapper libraries do.

Request function

Here's an example of a function that does what we need:

import requests

cookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

session = requests.Session()
session.cookies[".ROBLOSECURITY"] = cookie


def rbx_request(method, url, **kwargs):
    request = session.request(method, url, **kwargs)
    method = method.lower()
    if method in ["post", "put", "patch", "delete"]:
        if "X-CSRF-TOKEN" in request.headers:
            session.headers["X-CSRF-TOKEN"] = request.headers["X-CSRF-TOKEN"]
            if request.status_code == 403:  # Request failed, send it again
                request = session.request(method, url, **kwargs)
    return request


req = rbx_request("POST", "https://auth.roblox.com/")
print(req.status_code)
# Uses the http.rb gem. Run "gem install http" on your terminal to install it
require "http"
require "json"

COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

module HTTPClient
  @client = HTTP.cookies({
    :".ROBLOSECURITY" => COOKIE
  })

  def self.rbx_request(verb, url, *args)
    response = @client.request(verb, url, *args)
    return response if response.status == 200
        
    if response.status == 403
      if response.headers.include?("x-csrf-token")
        @client = @client.headers({
          :"x-csrf-token" => response.headers["x-csrf-token"]
        })
        return rbx_request(verb, url, args, kwargs)
      end
    end

    response
  end
end

response = HTTPClient.rbx_request(:post, "https://auth.roblox.com")

puts response.status
const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

let xCsrfToken = "";

const rbxRequest = async (
    verb: string,
    url: string,
    body?: string
): Promise<Response> => {
    const response = await fetch(url, {
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,
            "x-csrf-token": xCsrfToken,
            "Content-Length": body?.length.toString() || "0",
        },
        method: verb,
        body: body || "",
    });

    if (response.status == 403) {
        if (response.headers.has("x-csrf-token")) {
            xCsrfToken = response.headers.get("x-csrf-token")!;
            return rbxRequest(verb, url, body);
        }
    }

    return response;
};

const response = await rbxRequest("POST", "https://auth.roblox.com");

console.log(response.status);
// npm install node-fetch
import fetch from "node-fetch"

const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

let xCsrfToken = "";

const rbxRequest = async (verb, url, body) => {
    const response = await fetch(url, {
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,
            "x-csrf-token": xCsrfToken,
            "Content-Length": body?.length.toString() || "0",
        },
        method: "POST",
        body: body || "",
    });

    if (response.status == 403) {
        if (response.headers.has("x-csrf-token")) {
            xCsrfToken = response.headers.get("x-csrf-token");
            return rbxRequest(verb, url, body);
        }
    }

    return response;
};

const response = await rbxRequest("POST", "https://auth.roblox.com");

console.log(response.status);
--!strict
type Table = {[any]: any}

local HttpService = game:GetService("HttpService")

-- when inputting your cookie, remove the _|  |_ part
local COOKIE = ""
local headers = {
	Cookie = string.format(".ROBLOSECURITY=%s", COOKIE)
}

local function rbxRequest(method: string, url: string, body: Table?)
	method = string.upper(method)
	
	local response = HttpService:RequestAsync({
		Method = method,
		Url = url,
		Body = body,
		Headers = headers
	})
	
	local statusCode = response.StatusCode
	if statusCode == 401 then
		error("A valid .ROBLOSECURITY cookie is required")
	elseif statusCode == 403 then
		local responseHeaders = response.Headers
		if responseHeaders["x-csrf-token"] then
			headers["x-csrf-token"] = responseHeaders["x-csrf-token"]
			return rbxRequest(method, url, body)
		end
	end
	
	return response
end

local response = rbxRequest("POST", "https://auth.roblox.com")
print(response.StatusCode)
// Uses the Netwonsoft.Json package. Run "dotnet add package Newtonsoft.Json --version 13.0.1" on your terminal to install it.
using System.Net;
using System.Text;
using Newtonsoft.Json;

const string roblosecurity = "cookie";

CookieContainer cookies = new CookieContainer();
cookies.Add(new Cookie(".ROBLOSECURITY", roblosecurity, "/", "roblox.com"));
HttpClient httpClient = new HttpClient(new HttpClientHandler()
{
    CookieContainer = cookies
});

async Task<HttpResponseMessage> Request(HttpMethod method, Uri url, dynamic? body = null)
{
    HttpResponseMessage response = await httpClient.SendAsync(
        new HttpRequestMessage(method, url)
        { Content = new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json") }
    );

    switch (response.StatusCode)
    {
        case HttpStatusCode.Unauthorized:
            throw new Exception("A valid .ROBLOSECURITY cookie is required");

        case HttpStatusCode.Forbidden:
            httpClient.DefaultRequestHeaders.Add("x-csrf-token", response.Headers.GetValues("x-csrf-token").First());
            return await Request(method, url, body);
    }

    return response;
}

HttpResponseMessage response = await Request(HttpMethod.Post, new Uri("https://auth.roblox.com"));

Console.WriteLine(response.StatusCode);

This code should output something like the following:

200
Now that we’ve done this, it makes it marginally easier to send requests to the API.
This article is a part of the Accessing the Roblox API series.
< Authentication | X-CSRF-Token