I am working on a reporting system; the server validates and sends data from the client to a Discord webhook in the form of an embed. My employer wanted the reporter and offender’s headshot images to be displayed in the embed.
According to Discord’s webhook documentations, image URLs must be a http(s) link or an attachment’s. However, Roblox’s Players:GetUserThumbnailAsync() returns a rbxthumb protocol link; using this link results in the “HTTP 400 Bad Request” error.
Proxies are what I am heavily trying to avoid, but of course I could just create my own web server.
Hence, I thought to myself, “What would be the image address to a Roblox user’s headshot?” The address’ protocol was https://. But there is an ID in the link that I cannot decode, and I do not know how it is generated. I suppose the ID is used to retrieve the image of the user. It is formatted like this: https://tr.rbxcdn.com/randomcharacters/150/150/AvatarHeadshot/Png.
Is there any working link format that I can use to post to a webhook? I have done a lot of research, and my options seem to be out-of-date address formats, or common proxies.
My employer said that it isn’t mandatory to display the users’ pictures. So, it is fine if there is no solution other than a proxy.
I believe the “randomcharacters” are a hash string. You could perhaps use Roblox API to bypass this.
The URL you use could be, https://thumbnails.roproxy.com/v1/users/avatar-headshot?userIds=0&size=48x48&format=Png&isCircular=false
Replace the userIds=0 with userIds={your userID}, the size=48x48 with whatever you want the size to be (ex. 420x420), and if you want the format and isCircular (something like Jpg or true to make the headshot circular) and get the request. It should return something along the lines of: {"data":[{"targetId":629871766,"state":"Completed","imageUrl":"https://tr.rbxcdn.com/randomCharacters/48/48/AvatarHeadshot/Png"}]}
Then, you can convert it to a regular table by using HTTPService to JSONDecode the string. Then, you can check for imageUrl and get it, allowing you to send the certain URL.
He asked to not use public proxy URLs (Not a good choice at all)
Roblox for whatever reason denies requests to its own servers by Roblox universes, this can be circumvented by making your own Proxy API, this is the only liable method on exporting roblox data.
I’d recommend hosting the API on a service called “Heroku”
There are numerous API libraries that are free to use/open sourced here
This is using the roproxy API, a proxy made specifically for this usage. This isn’t using the Roblox API itself, just a workaround basically. Check out this thread:
I am aware, but it is not a good idea to use a public API, since your at the whim of an outside source that could shut down/get compromised at any time
If downtime or a shutdown does occur, either the proxy or Roblox is down. If it’s the proxy, the OP can just create a backup incase this happens, for example displaying no headshot image in the first place. This is especially since they stated that it’s not needed, so it’s most likely not a priority.
But OP cannot maintain the API if something goes wrong, nor can he control the traffic that goes through it, OP can fix a privately hosted API proxy much quicker, which increases the form and function of even adding a profile picture in the first place
(Its also good practice because you want your discord webhook data as private as possible to avoid some sort of freak accident)
They were looking for a method to display the avatar headshot through a webhook correct? I believe there is no other way to do this, other than this method that I can think of as a workaround. If there is another way, it’s probably more lengthy, hacky, and not efficient enough. Either the OP could use this method, or rather simply display no headshot image in the webhook. If you could think of another method, power to you.
Privately hosted APIs work the same as something like Roproxy, the only difference is that you host the API instead of relying on a public host, you can do everything you would do normally, just under a host in which you control.
(You just change the URL to whatever proxy host URL your hosting program is running on instead of Roproxy.xyz)
Privately hosting an API comes at a cost. Energy cost (depending on if you’re using a server or something along the lines or just hosting most of the day without specific use during the entire time of the device), and money. Heroku is getting discontinued, and I’m afraid there’s no other great current proxy hosts that are free. Using RoProxy could be dangerous, but I don’t know how an attacker would use the thumbnail API to absolutely ruin people’s day, and RoProxy doesn’t have a cost except for an unpredicted and rare shutdown or downtime.
However, its practically in the backend developer bible to avoid a single point of failure at any cost. Not to mention that there are countless other hosting sites that offer a very small space free of charge, just as long as you use it, its abundant especially in the NODE.js sphere.
A single point of failure wouldn’t be a problem if you’re just using it to get the thumbnail headshot of an avatar. As I said, you can just return no headshot if something goes wrong and don’t use an image through the webhook. As I said, the OP also said that this isn’t needed
Ah, yes, you could protect your webhook key in the sense of that, but I do think using RoProxy is fine if you’re just trying to get the avatar headshot of a player. It’s not normal that an attacker would exploit the proxy just to change the ID of the player to a different one and a different avatar headshot.
Thank you, @Tetraic, for confirming that I should prefer using my own proxy in these types of situations. And thank you, @BaldisFriend, for informing me that those random characters were part of a hash string; hash strings completely left my mind.
My employer decided to not include the headshots since they are unnecessary for our needs, and he doesn’t want to deal with proxies. However, I marked this post as the solution because it would best fit my wants.