Authorisation denied for request

theworldis_socruel · February 15, 2022, 6:12am

Hey there!

I’m currently trying to make a script with which it’d be possible to send Messages to other users - however roblox keeps returning the error: “Authorization has been denied for this request.”.

I have no clue as to why this is happening, I send both the roblosecurity cookie and the x-csrf-token in the request.

My script (node.js)

        async function token() {

            let suc = undefined
            let xtoken = cachedToken.x_csrf

            await axios.post('https://auth.roblox.com/v2/login', {
                headers: {
                    "Cookie": `.ROBLOSECURITY=${config.cookie}`,
                    "X-CSRF-TOKEN": xtoken
                }
            }).then((resp) => {
    
                suc = true
    
            }).catch((e) => {

                console.log(e.response.headers)

                if (e.response) {

                    if (e.response.headers) {

                        if (e.response.headers[`x-csrf-token`]) {

                            xtoken = e.response.headers[`x-csrf-token`]

                        }

                    }

                }

                suc = false

            })

            return { suc, xtoken }

        }

        let tokenData = await token()

        console.log(tokenData)

        if (tokenData.xtoken) {

            await axios.post(`https://privatemessages.roblox.com/v1/messages/send`, {
                headers: {
                    "Cookie": `.ROBLOSECURITY=${config.cookie}`,
                    "X-CSRF-TOKEN": tokenData.xtoken
                },
                body: {
                    subject: "fromcode",
                    body: "some testing body",
                    recipientId: 997900401
                }
            }).then((resp) => {

                resp = resp.json()
                console.log(resp.data)

            }).catch((err) => {

                console.log(err.response.data)
                console.log("err")

            })

        } else {



        }

If anyone knows what I did wrong, please let me know!

Thanks for reading!

Batimius · February 15, 2022, 8:36am

Which API request gives you this error? It might be that you try to login which possibly changes the cookie or modifies authorization. I personally wouldn’t even bother with the login API as a cookie is sufficient enough to basically do anything. Your error most definitely comes from authorization, and although I’d think it would be the x-csrf-token, you have provided it so I think it has to do with you trying to login. If I am correct, the login API requires another API call to get a Captcha and a second one to verify. This is very confusing and I don’t know how exactly it works, so just scrap the authorization part all-together and use cookie instead. (Basically, you can make any calls you want by just providing the cookie and the x-csrf-token wherever needed)

theworldis_socruel · February 15, 2022, 8:39am

the login api is only there to get the x-csrf-token, which is required for the privatemessages api

Batimius · February 15, 2022, 8:47am

You don’t need the login API for the x-csrf-token. You can make two calls to the privatemessage API in order to retrieve it. The first one is used to retrieve the x-csrf-token and the second is used to make the call. I made a topic while back asking why I kept getting an error, and I realized the existence of x-csrf-token, which was not documented anywhere in Roblox. Here is a sample code that utilizes a recursive function that gets the x-csrf-token and then attempts to call again (this was in Python):

Roblox API Code 403 (Token Validation Failed) when using the group join request user API with Python

async def ExileUserFromId(UserId: int, Retry = True, Token=XCSRFTOKEN): # Token is by default None, if saved externally, it will save you from all the pain of having to run the script twice.
    RequestURL = "https://groups.roblox.com/v1/groups/3403707/users/" + str(UserId)
    Response = requests.request(
        "DELETE",
        RequestURL,
        cookies=Cookies, # The cookies (including the .ROBLOSECURITY cookie)
        headers={
            "Content-Type": "application/json",
            "X-CSRF-TOKEN": Token
        }
    )
    if Response.status_code == 403: # If the response is 403...
        try:
            JSON = json.loads(Response.text)
            ResponseCode = JSON["errors"][0]["code"]
            if ResponseCode == 0: # And Roblox response is 0...
                if Retry == True: # If retry is enabled...
                    return await ExileUserFromId(UserId, False, Response.headers["x-csrf-token"]) # Re-do the request, but this time, with the `x-csrf-token` supplied as well.
        except:
            return Response
    return Response, Token

I am pretty sure your authorization attempt is messing you up as it is incomplete and registers the cookie as invalid. Additionally, it could be that your cookie might be invalid. That can happen to. In short, just recursively call your function for the x-csrf-token and then attempt to call it again with the x-csrf-token. That should work for as long as your cookie is valid.

theworldis_socruel · February 15, 2022, 8:52am

I have tried retrieving the x-csrf token from the privatemessages but the server returned none.

Batimius · February 15, 2022, 8:56am

Then are you sure your cookie is valid? Authorization denied is usually because you have invalid authorization, which in our case would be your cookie. I find it odd that it wouldn’t return an x-csrf-token. I’ll check it out on my bot, but do check out if your cookie is valid.

theworldis_socruel · February 15, 2022, 9:00am

the cookie is valid, other requests work just fine.

Batimius · February 15, 2022, 9:33am

Something must be off with your code then. I tried using the API myself and it works just fine:

async function sendRobloxMessage(data, retry = true, token = XCSRFTOKEN) {
    let response = await axios({
        method: "POST",
        url: `https://privatemessages.roblox.com/v1/messages/send`,
        data: data,
        headers: {
            "Cookie": `.ROBLOSECURITY=${cookie}`,
            "Content-Type": "application/json",
            "Accept": "application/json",
            "X-CSRF-TOKEN": token
        },
        validateStatus: function () {
            return true;
        }
    })
    if (response.status == 403) {
        try {
            let JSON = response.data
            responseCode = JSON["errors"][0]["code"]
            if (responseCode == 0) {
                if (retry == true) {
                    return await sendRobloxMessage(data, false, response.headers["x-csrf-token"])
                }
            }
        } catch (error) {
            console.error(error)
            return response
        }
    } else if (response.status == 200) {
        XCSRFTOKEN = token
        let JSON = response.data
        if (JSON["success"] && JSON["success"] == true) {
            return JSON
        }
        return JSON
    }
    return response
}

new Command("message", async (message, []) => {
    let response = await sendRobloxMessage({
        subject: "Testing",
        body: "Hello there! This is an authomated message.",
        recipientId: 161328565
    })
    console.log(response)
}, {})

Forummer · February 15, 2022, 5:37pm

https://developer.roblox.com/en-us/api-reference/class/HttpService

Requests cannot be made to any Roblox website, such as www.roblox.com.

Batimius · February 15, 2022, 8:04pm

This has nothing to do with his question. He isn’t using HTTPService nor is he making the requests from the website itself. He is using Node.js and an external script.

Forummer · February 15, 2022, 8:24pm

nor is he making the requests from the website itself.

Incorrect.

VikkiVuk · February 15, 2022, 8:40pm

Wdym incorrect? He is using typescript/node.js which don’t have any correlation to the roblox site apart from the apis whatsoever.

this would make sense if he was using HttpService, but as you can see in the code he is not.

Forummer · February 15, 2022, 8:41pm

Incorrect as in the requests are not being proxied through another server, they are being issued directly to Roblox’s servers.

I wasn’t aware when I made my initial post that the script wasn’t written in Lua (didn’t check), so you can disregard my posts.

VikkiVuk · February 15, 2022, 8:42pm

??? Could you please elaborate, why would they need to be proxied through another server? He should be able to use the roblox api perfectly fine outside roblox studio.

No worries, just please check next time before replying to a thread.

VikkiVuk · February 15, 2022, 8:45pm

Please add "Content-Type": "application/json" in the request headers, and here’s a similar thread which was answered, please check it to see if it resolves your issue.