XSRF tokens do not generate while banned when submitting a support request

railworks2 · January 11, 2022, 10:33pm

Reproduction Steps
Browser A: Vivaldi 5.0.2497.35 (Stable channel) (64-bit)
Browser B: Firefox 96.0 (64-bit)
OS: Windows 11 Version 21H2 (Build 22000.376)

Get moderated (i.e banned) and remain logged into that account
Wait until your X-XSRF-TOKEN expires
Attempt to complete and submit, completing captcha successfully

Expected Behavior
I expect the X-XSRF-TOKEN to correctly generate and submit my support request

Actual Behavior
User gets stuck in a captcha loop because they cannot generate the XSRF token required to submit due to being moderated.

Workaround
Submit again while logged out

Issue Area: Roblox Website
Page URL: Support - Roblox
Impact: Moderate
Frequency: Very Rarely
Date First Experienced: 2022-01-11 22:01:00 (+00:00)

Iron_Legion · January 12, 2022, 1:17am

I am having trouble reproducing this issue. Which URL are you seeing return the 403 status code, that is resulting in the captcha loop?

railworks2 · January 12, 2022, 9:25am

This was on the support form page. Just to make sure, are you testing on a moderated account?

local_ip · January 12, 2022, 2:01pm

I don’t believe the CSRF token is the issue here. Moderated accounts just simply get 403s on many endpoints intentionally, excluding a few like usermoderation (for getting their current moderation status/ban reason/etc).
By the way, the actual header name is X-CSRF-Token, and it usually doesn’t cause a captcha when it’s invalid - it usually comes before the captcha.

I think the actual “bug” here is that support requests are included in the pool of requests that are blocked when your account is moderated. Maybe you could rephrase this as “cannot submit support requests on a moderated account”

railworks2 · January 12, 2022, 2:23pm

For whatever reason, it’s fine when I appealed immediately but a capcha loop the day after. The only thing that gave any clue was that the crsf printed an object as shown in the original post.

You can’t edit a bug report title after the fact so idk

local_ip · January 12, 2022, 2:25pm

The X-CSRF-Token usually expires within minutes and not days, so I’m not totally sure why that happened.

Where is it printing an object? I don’t know what you mean by that.

railworks2 · January 12, 2022, 2:30pm

In the (web) developer console.

I’m not quite sure what happened, I cannot replicate this bug (not banned) again.
It seems like the sort of thing that might have been missed and may deeply annoy end users.

local_ip · January 12, 2022, 4:02pm

Could you explain what the screenshot in your post is? I assumed that this was your own request you had sent.

Iron_Legion · January 12, 2022, 11:28pm

Yes, I tested while logged in to a permanently banned account. I was able to fill out the captcha and submit the report form and got an email confirmation.