Scripting Helpers is winding down operations and is now read-only. More info→
Ad
Log in to vote
0

[SOLVED] "403 Forbidden Error" when trying to use Roblox web API with POST requests?

Asked by
TheJove 0
4 years ago
Edited 4 years ago

I am learning about HTTP requests, and using Roblox web API to test things.

While 90% of GET requests are passing normally, all of my POST requests are getting declined by Roblox, returning 403 error message.

For example, I am currently trying to decline friend requests from a certain user (ID 1241698203) via POST request. I am using python 3.7 and the "requests" module.

My code:

import requests
import pprint

urlname = 'https://api.roblox.com/user/decline-friend-request'
user = 1241698203

data = {'requesteruserid': user}

post_request = requests.post(url=urlname, data=data)

post_request_json = post_request.json()

print(post_request.status_code)

pprint.pprint(post_request_json)

Am I doing something wrong, and do I need to complete some sort of authentication beforehand through my program?

I appreciate all the help!

P.S. I am new to coding, so apologies if my code looks messy/not efficient :)

2 answers

Log in to vote
0
Answered by
LucarioZombie 291 Moderation Voter
4 years ago

Roblox forbids any requests from their own domain. This is to prevent hackers abusing the servers to slow service(s) down. Redirection must go through checks so it's not likely you're going to get a difference in results. All this is, is a lack of permissions.

0
As I understand, it only applies to in-game requests. However, I am trying to run the code from not from the game, but from my own separate desktop application. Also, if Roblox was forbidding all requests, then GET requests would also be denied, right? TheJove 0 — 4y
Ad
Log in to vote
0
Answered by
TheJove 0
4 years ago

Ok, so. After spending several hours doing my research, I finally managed to make it work!

The issue was with Roblox asking for X-CSRF Token as a measure against cross-site attacks or something like that.

So I had to send 2 requests instead of one. The first request would authenticate me in with my cookie, and Roblox will give me the X-CSRF Token as a result.

After that, I need to grab that token, and include it into the second request along with my cookie to successfully complete the POST request.

Here is the code that I am using (the cookie is obviously deleted):

import requests
import pprint

urlname = 'https://api.roblox.com/user/decline-friend-request'

token_headers = {
    'Cookie': 'PUT YOUR ROBLOSECURITY COOKIE HERE'}

token_request = requests.post(url=urlname, headers=token_headers)

token_request_headers = str(token_request.headers)

token_location = token_request_headers.find('X-CSRF-TOKEN') + len('X-CSRF-TOKEN') + 4

csrf_token = str(token_request_headers[token_location:token_location+12])

request_headers = {
    'Cookie': 'PUT YOUR ROBLOSECURITY COOKIE HERE',
    'X-CSRF-TOKEN': csrf_token
}

user = 232147492

my_data = {'requesteruserid': user}

my_request = requests.post(url=urlname, data=my_data, headers=request_headers)

my_request_json = my_request.json()

print(my_request.status_code)
print(my_request.headers)
pprint.pprint(my_request_json)

You can essentially do any requests that require authenticatication with this code now. I hope it helps all Web-developers out there!

0
I can't accept my own answer, but I changed the title to mark this question as solved. TheJove 0 — 4y

Answer this question