feat(rbx_auth): check csrf token per request

mantle/mantle/src/commands/import.rs

@@ -1,5 +1,7 @@
+use std::sync::Arc;
+
 use rbx_api::{models::AssetId, RobloxApi};
-use rbx_auth::RobloxAuth;
+use rbx_auth::{RobloxCookieStore, RobloxCsrfTokenStore};
 use yansi::Paint;
 
 use rbx_mantle::{
@@ -54,14 +56,15 @@ pub async fn run(project: Option<&str>, environment: Option<&str>, target_id: &s
     };
 
     logger::start_action("Import target:");
-    let roblox_auth = match RobloxAuth::new().await {
-        Ok(v) => v,
+    let cookie_store = match RobloxCookieStore::new() {
+        Ok(v) => Arc::new(v),
         Err(e) => {
             logger::end_action(Paint::red(e));
             return 1;
         }
     };
-    let roblox_api = match RobloxApi::new(roblox_auth) {
+    let csrf_token_store = RobloxCsrfTokenStore::new();
+    let roblox_api = match RobloxApi::new(cookie_store, csrf_token_store) {
         Ok(v) => v,
         Err(e) => {
             logger::end_action(Paint::red(e));

mantle/rbx_api/README.md

@@ -5,11 +5,12 @@ Make requests to Roblox's web APIs. Currently does not support any Open Cloud AP
 ## Usage
 
 ```rs
-use rbx_auth::RobloxAuth;
+use rbx_auth::{RobloxCookieStore, RobloxCsrfTokenStore};
 use rbx_api::RobloxApi;
 
-let auth = RobloxAuth::new().await?;
-let api = RobloxApi::new(auth)?;
+let cookie_store = Arc::new(RobloxCookieStore::new()?);
+let csrf_token_store = RobloxCsrfTokenStore::new();
+let api = RobloxApi::new(cookie_store, csrf_token_store)?;
 
-api.upload_place("MyPlace.rbxl".into(), 123456)?;
+let user = api.get_authenticated_user().await?;
 ```

mantle/rbx_api/src/asset_aliases/mod.rs

@@ -18,18 +18,23 @@ impl RobloxApi {
         asset_id: AssetId,
         name: String,
     ) -> RobloxApiResult<()> {
-        let req = self
-            .client
-            .post("https://apis.roblox.com/content-aliases-api/v1/universes/create-alias")
-            .header(header::CONTENT_LENGTH, 0)
-            .query(&[
-                ("universeId", experience_id.to_string().as_str()),
-                ("name", name.as_str()),
-                ("type", "1"),
-                ("targetId", asset_id.to_string().as_str()),
-            ]);
-
-        handle(req).await?;
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .post("https://apis.roblox.com/content-aliases-api/v1/universes/create-alias")
+                    .header(header::CONTENT_LENGTH, 0)
+                    .query(&[
+                        ("universeId", experience_id.to_string().as_str()),
+                        ("name", name.as_str()),
+                        ("type", "1"),
+                        ("targetId", asset_id.to_string().as_str()),
+                    ]))
+            })
+            .await;
+
+        handle(res).await?;
 
         Ok(())
     }
@@ -41,18 +46,23 @@ impl RobloxApi {
         previous_name: String,
         name: String,
     ) -> RobloxApiResult<()> {
-        let req = self
-            .client
-            .post("https://apis.roblox.com/content-aliases-api/v1/universes/update-alias")
-            .query(&[
-                ("universeId", experience_id.to_string().as_str()),
-                ("oldName", previous_name.as_str()),
-                ("name", name.as_str()),
-                ("type", "1"),
-                ("targetId", asset_id.to_string().as_str()),
-            ]);
-
-        handle(req).await?;
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .post("https://apis.roblox.com/content-aliases-api/v1/universes/update-alias")
+                    .query(&[
+                        ("universeId", experience_id.to_string().as_str()),
+                        ("oldName", previous_name.as_str()),
+                        ("name", name.as_str()),
+                        ("type", "1"),
+                        ("targetId", asset_id.to_string().as_str()),
+                    ]))
+            })
+            .await;
+
+        handle(res).await?;
 
         Ok(())
     }
@@ -62,13 +72,18 @@ impl RobloxApi {
         experience_id: AssetId,
         name: String,
     ) -> RobloxApiResult<()> {
-        let req = self
-            .client
-            .post("https://apis.roblox.com/content-aliases-api/v1/universes/delete-alias")
-            .header(header::CONTENT_LENGTH, 0)
-            .query(&[("universeId", &experience_id.to_string()), ("name", &name)]);
-
-        handle(req).await?;
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .post("https://apis.roblox.com/content-aliases-api/v1/universes/delete-alias")
+                    .header(header::CONTENT_LENGTH, 0)
+                    .query(&[("universeId", &experience_id.to_string()), ("name", &name)]))
+            })
+            .await;
+
+        handle(res).await?;
 
         Ok(())
     }
@@ -78,15 +93,20 @@ impl RobloxApi {
         experience_id: AssetId,
         page: u32,
     ) -> RobloxApiResult<ListAssetAliasesResponse> {
-        let req = self
-            .client
-            .get("https://apis.roblox.com/content-aliases-api/v1/universes/get-aliases")
-            .query(&[
-                ("universeId", &experience_id.to_string()),
-                ("page", &page.to_string()),
-            ]);
-
-        handle_as_json(req).await
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .get("https://apis.roblox.com/content-aliases-api/v1/universes/get-aliases")
+                    .query(&[
+                        ("universeId", &experience_id.to_string()),
+                        ("page", &page.to_string()),
+                    ]))
+            })
+            .await;
+
+        handle_as_json(res).await
     }
 
     pub async fn get_all_asset_aliases(

mantle/rbx_api/src/asset_permissions/mod.rs

@@ -11,17 +11,22 @@ impl RobloxApi {
         request: R,
     ) -> RobloxApiResult<()>
     where
-        R: Into<GrantAssetPermissionsRequest>,
+        R: Into<GrantAssetPermissionsRequest> + Clone,
     {
-        let req = self
-            .client
-            .patch(format!(
-                "https://apis.roblox.com/asset-permissions-api/v1/assets/{}/permissions",
-                asset_id
-            ))
-            .json(&request.into());
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .patch(format!(
+                        "https://apis.roblox.com/asset-permissions-api/v1/assets/{}/permissions",
+                        asset_id
+                    ))
+                    .json(&request.clone().into()))
+            })
+            .await;
 
-        handle(req).await?;
+        handle(res).await?;
 
         Ok(())
     }

mantle/rbx_api/src/asset_permissions/models.rs

@@ -2,26 +2,26 @@ use serde::Serialize;
 
 use crate::models::AssetId;
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct GrantAssetPermissionsRequest {
     pub requests: Vec<GrantAssetPermissionsRequestRequest>,
 }
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct GrantAssetPermissionsRequestRequest {
     pub subject_type: GrantAssetPermissionRequestSubjectType,
     pub subject_id: AssetId,
     pub action: GrantAssetPermissionRequestAction,
 }
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 pub enum GrantAssetPermissionRequestSubjectType {
     Universe,
 }
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 pub enum GrantAssetPermissionRequestAction {
     Use,
 }

mantle/rbx_api/src/assets/mod.rs

@@ -19,17 +19,22 @@ impl RobloxApi {
         &self,
         asset_type: AssetTypeId,
     ) -> RobloxApiResult<CreateAssetQuota> {
-        let req = self
-            .client
-            .get("https://publish.roblox.com/v1/asset-quotas")
-            .query(&[
-                // TODO: Understand what this parameter does
-                ("resourceType", "1"),
-                ("assetType", &asset_type.to_string()),
-            ]);
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .get("https://publish.roblox.com/v1/asset-quotas")
+                    .query(&[
+                        // TODO: Understand what this parameter does
+                        ("resourceType", "1"),
+                        ("assetType", &asset_type.to_string()),
+                    ]))
+            })
+            .await;
 
         // TODO: Understand how to interpret multiple quota objects (rather than just using the first one)
-        (handle_as_json::<CreateAssetQuotasResponse>(req).await?)
+        (handle_as_json::<CreateAssetQuotasResponse>(res).await?)
             .quotas
             .first()
             .cloned()
@@ -42,36 +47,46 @@ impl RobloxApi {
         group_id: Option<AssetId>,
         payment_source: CreatorType,
     ) -> RobloxApiResult<CreateAudioAssetResponse> {
-        let data = fs::read(&file_path)?;
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                let data = fs::read(&file_path)?;
 
-        let file_name = format!(
-            "Audio/{}",
-            file_path.file_stem().and_then(OsStr::to_str).unwrap()
-        );
+                let file_name = format!(
+                    "Audio/{}",
+                    file_path.file_stem().and_then(OsStr::to_str).unwrap()
+                );
 
-        let req = self
-            .client
-            .post("https://publish.roblox.com/v1/audio")
-            .json(&json!({
-                "name": file_name,
-                "file": base64::encode(data),
-                "groupId": group_id,
-                "paymentSource": payment_source
-            }));
+                Ok(self
+                    .client
+                    .post("https://publish.roblox.com/v1/audio")
+                    .json(&json!({
+                        "name": file_name,
+                        "file": base64::encode(data),
+                        "groupId": group_id,
+                        "paymentSource": payment_source
+                    })))
+            })
+            .await;
 
-        handle_as_json(req).await
+        handle_as_json(res).await
     }
 
     pub async fn archive_asset(&self, asset_id: AssetId) -> RobloxApiResult<()> {
-        let req = self
-            .client
-            .post(format!(
-                "https://develop.roblox.com/v1/assets/{}/archive",
-                asset_id
-            ))
-            .header(header::CONTENT_LENGTH, 0);
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .post(format!(
+                        "https://develop.roblox.com/v1/assets/{}/archive",
+                        asset_id
+                    ))
+                    .header(header::CONTENT_LENGTH, 0))
+            })
+            .await;
 
-        handle(req).await?;
+        handle(res).await?;
 
         Ok(())
     }