I am learning about HTTP requests, and using Roblox web API to test things.
While 90% of GET requests are passing normally, all of my POST requests are getting declined by Roblox, returning 403 error message.
For example, I am currently trying to decline friend requests from a certain user (ID 1241698203) via POST request. I am using python 3.7 and the "requests" module.
My code:
import requests import pprint urlname = 'https://api.roblox.com/user/decline-friend-request' user = 1241698203 data = {'requesteruserid': user} post_request = requests.post(url=urlname, data=data) post_request_json = post_request.json() print(post_request.status_code) pprint.pprint(post_request_json)
Am I doing something wrong, and do I need to complete some sort of authentication beforehand through my program?
I appreciate all the help!
P.S. I am new to coding, so apologies if my code looks messy/not efficient :)
Roblox forbids any requests from their own domain. This is to prevent hackers abusing the servers to slow service(s) down. Redirection must go through checks so it's not likely you're going to get a difference in results. All this is, is a lack of permissions.
Ok, so. After spending several hours doing my research, I finally managed to make it work!
The issue was with Roblox asking for X-CSRF Token as a measure against cross-site attacks or something like that.
So I had to send 2 requests instead of one. The first request would authenticate me in with my cookie, and Roblox will give me the X-CSRF Token as a result.
After that, I need to grab that token, and include it into the second request along with my cookie to successfully complete the POST request.
Here is the code that I am using (the cookie is obviously deleted):
import requests import pprint urlname = 'https://api.roblox.com/user/decline-friend-request' token_headers = { 'Cookie': 'PUT YOUR ROBLOSECURITY COOKIE HERE'} token_request = requests.post(url=urlname, headers=token_headers) token_request_headers = str(token_request.headers) token_location = token_request_headers.find('X-CSRF-TOKEN') + len('X-CSRF-TOKEN') + 4 csrf_token = str(token_request_headers[token_location:token_location+12]) request_headers = { 'Cookie': 'PUT YOUR ROBLOSECURITY COOKIE HERE', 'X-CSRF-TOKEN': csrf_token } user = 232147492 my_data = {'requesteruserid': user} my_request = requests.post(url=urlname, data=my_data, headers=request_headers) my_request_json = my_request.json() print(my_request.status_code) print(my_request.headers) pprint.pprint(my_request_json)
You can essentially do any requests that require authenticatication with this code now. I hope it helps all Web-developers out there!