Getting the X-CSRF Token

Help and Feedback Scripting Support
#1

Before anyone says this question has been asked hundreds of times before, I know. I’ve checked every single post and none of them have helped my achieve what I wanted. Mostly because everyone is using Python and not JS and Node.

Simply, all I want to do is fetch the X-CSRF token. This is the code that does the job.

function getToken(){

    http.request({
        host: 'auth.roblox.com',
        path: '/v1/logout',
        method: 'POST',
        headers: {
            'Cookie': `.ROBLOSECURITY=${cookie}`,
        }
    }, (res) => {

        let data = ''

        res.on('data', (d) => {
            data += d
        })

        res.on('end', () => {
            console.log(res.headers)
            console.log(data)
        })

    }).end()

};

Value for res.headers['x-crsf-token'] is undefined and data response is {"errors":[{"code":0,"message":"Authorization has been denied for this request."}]}

Help is appreciated.

Header "Cookie" has unallowed character "|" in value
#2

Update: Upon logging out and back into my account and fetching a new .ROBLOSECURITY code, I got a new error, which is {"errors":[{"code":0,"message":"Token Validation Failed"}]}.

#3

You cannot automatically fetch an X-CSRF Token from my understanding.

This makes sense for ROBLOX, in interest of protecting their mostly young player base.
(Your error states that the request was denied, with good reason)

https://blog.roblox.com/2020/10/protecting-users-cross-site-request-forgery/

#4

You can automatically fetch the X-CSRF code yes. I already found a work around.

For those struggling with the same issue, Noblox.js has a method to fetch the X-CSRF code for you.

#5

Ah ok :+1:

I don’t see why ROBLOX would allow it to be automatically fetched as it is a security concern, but good luck with your code.