How to use the Roblox Login API (V2) with CAPTCHA

oxzics · August 31, 2023, 1:09am

I am making a ranking bot using a service that supports my application but does not set my app on one single server. Roblox deletes cookies that have a significant location change, so I would need to get a cookie using a VPN located close to the server where my project is hosted. This can be very frustrating, doing it once or twice every day, so I would like to log in with the https://auth.roblox.com/v2/login API. This project is in node.js.

There are a few issues with this. When I send a request with the Axios library with the correct username, password, and token, it returns forbidden. Is my captcha token the one I get from the data-hcaptcha-response attribute? What is my captchaProvider parameter? Here is what I have so far.

axios.post('https://auth.roblox.com/v2/login', {
  captchaProvider: "PROVIDER_HCaptcha",
  ctype: 'Username',
  cvalue: "Username",
  password: "Password",
  captchaToken: "CaptchaTokenFromHCaptcha"
}, { headers: {
  'x-csrf-token': 'MyToken'
}})
  .then(data => console.log('Logged in.'))
  .catch(a => {
    console.log(a.request.res.statusCode);
  });

I am not really familiar with Roblox ToS, so please tell me if this idea conflicts. Thank you for your help in advance!

maaxyyyyyyy · August 31, 2023, 1:15am

This is just wrong on so many levels
Roblox doesn’t use HCaptcha, they use Funcaptcha

You will get details of the captcha id and metadata (blob data) from headers which you need to solve in order to get a valid token. Then you need to send a request back to the api with the token and captcha id in headers

oxzics · August 31, 2023, 1:18am

Oop… Do I request one login attempt, then take the headers, render a captcha on my end, and then make another request? Or do I get the headers from another endpoint? Also, how do I render a funcaptcha on my server/html page to be sent back to roblox?

maaxyyyyyyy · August 31, 2023, 1:20am

You make a request, get the data from the headers, and request again with the correct headers

As for rendering the captcha it’s difficult. if I remember correctly, there is a library called funcaptcha which will render the link for your challenge based on the blob data and public key, then you have to put the captcha in an iframe, track results, and on completion it will return a valid token

oxzics · August 31, 2023, 1:30am

I can not find the funcaptcha ID anywhere in the response’s headers… This article states that what I am doing may not be possible without an oauth key. Is this true?

maaxyyyyyyy · August 31, 2023, 2:57am

Wdym funcaptcha id? What field are you looking for

oxzics · August 31, 2023, 7:42pm

I am looking for the Captcha ID. Is there another endpoint that gives this?

maaxyyyyyyy · August 31, 2023, 7:45pm

The captcha id is returned in the metadata after you decode the base64

oxzics · August 31, 2023, 7:57pm

I’m so sorry for asking so many questions, but where is metadata located? There seems to be no base64 in a.request.res.headers…

maaxyyyyyyy · August 31, 2023, 8:00pm

Make the initial login request and send the headers that print

oxzics · August 31, 2023, 8:11pm

Here are the headers… I removed things that may or may not be secrets or identifiers.

access-control-expose-headers: "X-CSRF-TOKEN"
cache-control: "no-cache"
connection: "close"
content-type: "application/json; charset=utf-8"
date: "Thu, 31 Aug 2023 20:05:50 GMT"
nel: "{\"report_to\":\"network-errors\",\"max_age\":604800,\"success_fraction\":0.001,\"failure_fraction\":1}"
report-to: "{\"group\":\"network-errors\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://ncs.roblox.com/upload\"}]}"
roblox-machine-id: "Removed"
server: "Kestrel"
strict-transport-security: "max-age=3600"
transfer-encoding: "chunked"
x-csrf-token: "Removed"
x-frame-options: "SAMEORIGIN"
x-roblox-edge: "Removed"
x-roblox-region: "us-central"

maaxyyyyyyy · August 31, 2023, 8:19pm

These aren’t headers you should be receiving, can you send the status message and status code of the request as well?

oxzics · August 31, 2023, 8:20pm

I am not sending any headers, but the response code is 403, and the response message is Forbidden. Is there anything wrong with the request?

maaxyyyyyyy · August 31, 2023, 8:23pm

Yea your request is not formatted correctly so roblox rejects it with a 403 (as they don’t really want people automating it)

Send your request format and I’ll see what’s wrong with it

oxzics · August 31, 2023, 8:24pm

If I am trying to get a captcha, I am not sure if I should be using .get or .post… Here is the code that I am getting the headers from.

app.get('/api/get-captcha', (req, res) => {
  axios.post('https://auth.roblox.com/v2/login', {})
    .then(() => console.log('Error.'))
    .catch(a => {
      console.log(a.request.res);
      res.json(a.request.res.headers);
    });
})

maaxyyyyyyy · August 31, 2023, 8:27pm

You have to include certain data for the request
Not all fields are needed, it’s mostly experimenting

oxzics · August 31, 2023, 8:27pm

If I only want to get the captcha though, what data should I include?

maaxyyyyyyy · August 31, 2023, 8:28pm

To get the data you have to make the request seem like an actual request

oxzics · August 31, 2023, 8:29pm

Do I include fake captcha data or none at all…

maaxyyyyyyy · August 31, 2023, 8:49pm

None you can leave the fields empty