Roblox Web Authentication

Help and Feedback Scripting Support
1

I’m creating a bot which will rank a user in a group. When I try to get the CSRF token, I get the error “forbidden”. My code is below.

const superagent = require("superagent")

let cookie = "my cookie is here, removed for security"

async function cool() {

    try{

        let toke = token()

        const { body } = await superagent

            .patch("https://groups.roblox.com/v1/groups/4913533/users/1903660599")

            .set("Cookie", ".ROBLOSECURITY=" + cookie)

            .set("X-CSRF-TOKEN", toke)

            .send({ roleId: 10})

            .set('Accept', 'application/json')

            console.log("Response: " + body)

    }catch(err){

    console.log("An error has occured: " + err)

    }

}

async function token() {

    try {

const { body } = await superagent

.post("https://auth.roblox.com/v2/logout")

.set("Cookie", ".ROBLOSECURITY=" + cookie)

console.log(body.headers)

    } catch(err) {

        console.log("error " + err)

    }

}

cool()
2

Forbidden on the /logout api part. Ik im not returning anything.

3

pretty sure you got to listen to the error code.

No one is allowed to access the .ROBLOSECURITY cookie. If people were able to, everyone would be getting hacked.

4

this is an endpoint to get the token, no one can get my cookie

1 Like
5

i dont know how to write javascript but try this:

async function cool() {

    try{

        let toke = token()

        const { body } = await superagent

            .patch("https://groups.roblox.com/v1/groups/4913533/users/1903660599")

            .set("Cookie", ".ROBLOSECURITY=" + cookie)

            .set("X-CSRF-TOKEN", toke)

            .send({ roleId: 10})

            .set('Accept', 'application/json')

            console.log("Response: " + body)

    }catch(err){

    console.log("An error has occured: " + err)

    }

}

async function token() {

    try {

const { body } =  await superagent

            .patch("https://groups.roblox.com/v1/groups/4913533/users/1903660599")

            .set("Cookie", ".ROBLOSECURITY=" + cookie)

            .send({ roleId: 10})

            .set('Accept', 'application/json')

console.log(body.headers) -- request should fail, but header have csrf token

    } catch(err) {

        console.log("error " + err)

    }

}

cool()
6

Oh, dude, your right. It will fail but it does return the token. Let me just fix my code

1 Like
7

Ok so it works, but i get bad request error. the role id isn’t correct, but idk where to get that from

8

Okay, I fixed it. It’s working. Thanks

2 Likes