feat(rbx_auth): check csrf token per request #228
Draft
+905
−571
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Instead of fetching the CSRF token a single time and caching it in the
RobloxAuth
struct, we implement a middleware-esque approach where we pass as request factory closure to a customCsrfTokenStore.send_request
function which will call the factory to construct the request, send the request, then extract the CSRF token from the response headers and resend if necessary.This approach correctly resolves #226 by no longer relying on a deprecated method of receiving a CSRF token.
Additionally, it resolves a long-standing issue of
rbx_auth
/rbx_api
when used in a long-running context where the CSRF token expires. Now, the token will be automatically refreshed and the request retried.This change does change the public API of both
rbx_auth
andrbx_api
in a very large way, so this PR should not be merged until the docs have been updated as well.