Hi. I’m trying to create an auto rank bot that keeps running 24/7 on a repl server. The code works fine however I believe the CSRF-TOKEN changes every 30 minutes which means if it generates a new token the code will break. Is there a way to get like a permanent token that doesn’t change? If not, how would I make it so it runs 24/7? Thanks in advance.
1 Like
What I do is send a “get request” to the home page and parse through the html to find my token.
Here is an example in java - it is probably not the language you are using but it should give you a good idea of how it’s done. (it is just a snippet of some code I use, hopefully you find it helpful)
public static String X_CSRF_TOKEN = "";
public static void setXCSRF(CloseableHttpClient httpclient){
HttpGet get = new HttpGet("https://www.roblox.com/home");
get.addHeader("Cookie", ".ROBLOSECURITY=cookie_here;"); // without adding your cookie to the get request you will get the x-csrf-token of an "unauthorized/guest" user.
try (CloseableHttpResponse response = httpclient.execute(get)){
HttpEntity entity = response.getEntity(); // gets html
InputStream data = new DataInputStream(entity.getContent()); // makes it into a datasream
Document document = Jsoup.parse(data, "UTF-8", "https://www.roblox.com/home"); // library for parsing
// find script that sets the x-csrf-token in the html and then capture it
for (Element e : document.getElementsByTag("script")) {
String html = e.html();
if (html.lastIndexOf("Roblox.XsrfToken.setToken", 0) != -1){
X_CSRF_TOKEN = html.split("'")[1];
break;
}
}
}catch(IOException e) {e.printStackTrace();}
}
What I would do is have a loop and just constantly call this every 5-30 seconds to refresh your x-csrf-token.
This is unnecessary and could still cause issues. Any endpoint that requires a csrf token and is not provided one will return a 403 status code with a new, valid csrf-token in the body of the request.
Code zero is returned with a status of 403, with an error of code 0 indicating an invalid csrf-token
In the headers of this request, you will see a new csrf token is returned, so there is no need to periodic requests to a random endpoint to refresh the csrf token
Take this as an example:
I have a payUser function which requires making a request to an endpoint that requires a csrf token. After the request is made, we check to see if it returns a status code of 403, and if it does, we check if the error message returned is code 0, which would indicates that the csrf token provided was invalid or missing. After we confirm that the error is due to an invalid csrf token, we can simply extract the csrf token that was returned from the request in its headers, store it whever, and call the payUser function again.
2 Likes
This may be no longer needed due to it being a year ago but you cannot get a permanent CSRF token. Many of the endpoints however if the request is not valid it will send you CSRF token inside of the response headers. Due to this it’s recommended that if the token authentication fails due to the CSRF token being invalid you can just auto get a new from the failed request.