Automatically get the X-CSRF-TOKEN [NODE.JS]

Puwgen · May 29, 2024, 11:02am

I use node.js and I need to auto-fetch the X-CSRF-TOKEN

I am also using noblox.js, but since it uses the https://api.roblox.com/v2/logout endpoint (?),
it will logout and refresh the .ROBLOSECURITY Cookie, which breaks the code and becomes very very very time consuming.

How can I avoid that?

Puwgen · May 29, 2024, 2:01pm

Bumping

benpinpop · May 29, 2024, 2:04pm

I believe you need to turn this off:

Which can be found in: https://create.roblox.com/settings/advanced. Only turn this off on an alt account, as it CANNOT be turned back on. (For some god forsaken reason).

This is just due to the fact that IP changes invalidate cookies. So you should be able to get your X-CSRF-Token after this setting is off.

Puwgen · May 29, 2024, 2:46pm

Uhm, nope! This doesn’t change anything at all

benpinpop · May 29, 2024, 2:58pm

Can I see your code? Without the cookie of course.

Puwgen · May 29, 2024, 3:27pm

module.exports = async function (cookie) {
    if (!cookie) throw new Error('Cookie not provided');
    const endpoint = `https://auth.roproxy.com/v1/logout`;
    const response = await fetch(endpoint, {
        method: 'POST',
        headers: {
            cookie: `.ROBLOSECURITY=${cookie}`
        }
    });

    return response.headers.get('x-csrf-token');
}

This does fetch the X-CSRF-TOKEN for the first time, but then the Cookie expires because it logged you out actually.

Puwgen · May 29, 2024, 3:30pm

Or maybe we don’t need a X-CSRF-TOKEN anymore? Don’t think so, but X-CSRF-TOKEN is for confirming actions and stuff, because there is no token in the request, it shouldnt actually log you out.

So something seems off

Meta_data · May 29, 2024, 3:38pm

You do not want to be sending your ROBLOSECURITY through roproxy. That means the owner of that website could very easily log your cookie and steal your account.

I do not understand your initial question though. You are logged out through the logout endpoint and then when you re-login it’s not setting the X-CSRF-TOKEN?

benpinpop · May 29, 2024, 3:39pm

It also explains why he’s being logged out, and roproxy is a different IP address than the login. As long as he’s using an independent program, he should just be using the auth endpoint directly.

Puwgen · May 29, 2024, 3:39pm

roblox.com might just ratelimit me

benpinpop · May 29, 2024, 3:40pm

I have a very hard time believing that. You should only be fetching the X-CSRF-Token every 20 minutes as it expires every 30 minutes.

Even if you’re doing 25 requests a minute, that still wouldn’t really be enough to kick off any red flags.

Puwgen · May 29, 2024, 3:42pm

hm, you might be right, let me just do some stuff rq

bvetterdays · May 29, 2024, 3:43pm

Pretty sure RoProxy returns an x-csrf-token in the headers of it’s response that you need to send BACK to it as a header in any further requests to make use of it. May be wrong though

Either way, try using Roblox APIs directly if you can, following what @benpinpop said

Puwgen · May 29, 2024, 3:46pm

Edit: ignore this, i fixed this already, just forgot to await the token request

system · June 12, 2024, 3:47pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.