Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rbx_auth): check csrf token per request #228

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions mantle/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 7 additions & 4 deletions mantle/mantle/src/commands/import.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
use std::sync::Arc;

use rbx_api::{models::AssetId, RobloxApi};
use rbx_auth::RobloxAuth;
use rbx_auth::{RobloxCookieStore, RobloxCsrfTokenStore};
use yansi::Paint;

use rbx_mantle::{
Expand Down Expand Up @@ -54,14 +56,15 @@ pub async fn run(project: Option<&str>, environment: Option<&str>, target_id: &s
};

logger::start_action("Import target:");
let roblox_auth = match RobloxAuth::new().await {
Ok(v) => v,
let cookie_store = match RobloxCookieStore::new() {
Ok(v) => Arc::new(v),
Err(e) => {
logger::end_action(Paint::red(e));
return 1;
}
};
let roblox_api = match RobloxApi::new(roblox_auth) {
let csrf_token_store = RobloxCsrfTokenStore::new();
let roblox_api = match RobloxApi::new(cookie_store, csrf_token_store) {
Ok(v) => v,
Err(e) => {
logger::end_action(Paint::red(e));
Expand Down
8 changes: 8 additions & 0 deletions mantle/project-fixtures/light/mantle.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@ target:
name: Lightweight Mantle Test
serverFill:
reservedSlots: 4
badges:
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Undo this local testing change

myBadge:
name: Badge
icon: assets/badge-2.png
assets:
- assets/*
thumbnails:
- assets/badge-2.png

state:
remote:
Expand Down
100 changes: 60 additions & 40 deletions mantle/rbx_api/src/asset_aliases/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,23 @@ impl RobloxApi {
asset_id: AssetId,
name: String,
) -> RobloxApiResult<()> {
let req = self
.client
.post("https://apis.roblox.com/content-aliases-api/v1/universes/create-alias")
.header(header::CONTENT_LENGTH, 0)
.query(&[
("universeId", experience_id.to_string().as_str()),
("name", name.as_str()),
("type", "1"),
("targetId", asset_id.to_string().as_str()),
]);

handle(req).await?;
let res = self
.csrf_token_store
.send_request(|| async {
Ok(self
.client
.post("https://apis.roblox.com/content-aliases-api/v1/universes/create-alias")
.header(header::CONTENT_LENGTH, 0)
.query(&[
("universeId", experience_id.to_string().as_str()),
("name", name.as_str()),
("type", "1"),
("targetId", asset_id.to_string().as_str()),
]))
})
.await;

handle(res).await?;

Ok(())
}
Expand All @@ -41,18 +46,23 @@ impl RobloxApi {
previous_name: String,
name: String,
) -> RobloxApiResult<()> {
let req = self
.client
.post("https://apis.roblox.com/content-aliases-api/v1/universes/update-alias")
.query(&[
("universeId", experience_id.to_string().as_str()),
("oldName", previous_name.as_str()),
("name", name.as_str()),
("type", "1"),
("targetId", asset_id.to_string().as_str()),
]);

handle(req).await?;
let res = self
.csrf_token_store
.send_request(|| async {
Ok(self
.client
.post("https://apis.roblox.com/content-aliases-api/v1/universes/update-alias")
.query(&[
("universeId", experience_id.to_string().as_str()),
("oldName", previous_name.as_str()),
("name", name.as_str()),
("type", "1"),
("targetId", asset_id.to_string().as_str()),
]))
})
.await;

handle(res).await?;

Ok(())
}
Expand All @@ -62,13 +72,18 @@ impl RobloxApi {
experience_id: AssetId,
name: String,
) -> RobloxApiResult<()> {
let req = self
.client
.post("https://apis.roblox.com/content-aliases-api/v1/universes/delete-alias")
.header(header::CONTENT_LENGTH, 0)
.query(&[("universeId", &experience_id.to_string()), ("name", &name)]);

handle(req).await?;
let res = self
.csrf_token_store
.send_request(|| async {
Ok(self
.client
.post("https://apis.roblox.com/content-aliases-api/v1/universes/delete-alias")
.header(header::CONTENT_LENGTH, 0)
.query(&[("universeId", &experience_id.to_string()), ("name", &name)]))
})
.await;

handle(res).await?;

Ok(())
}
Expand All @@ -78,15 +93,20 @@ impl RobloxApi {
experience_id: AssetId,
page: u32,
) -> RobloxApiResult<ListAssetAliasesResponse> {
let req = self
.client
.get("https://apis.roblox.com/content-aliases-api/v1/universes/get-aliases")
.query(&[
("universeId", &experience_id.to_string()),
("page", &page.to_string()),
]);

handle_as_json(req).await
let res = self
.csrf_token_store
.send_request(|| async {
Ok(self
.client
.get("https://apis.roblox.com/content-aliases-api/v1/universes/get-aliases")
.query(&[
("universeId", &experience_id.to_string()),
("page", &page.to_string()),
]))
})
.await;

handle_as_json(res).await
}

pub async fn get_all_asset_aliases(
Expand Down
23 changes: 14 additions & 9 deletions mantle/rbx_api/src/asset_permissions/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,22 @@ impl RobloxApi {
request: R,
) -> RobloxApiResult<()>
where
R: Into<GrantAssetPermissionsRequest>,
R: Into<GrantAssetPermissionsRequest> + Clone,
{
let req = self
.client
.patch(format!(
"https://apis.roblox.com/asset-permissions-api/v1/assets/{}/permissions",
asset_id
))
.json(&request.into());
let res = self
.csrf_token_store
.send_request(|| async {
Ok(self
.client
.patch(format!(
"https://apis.roblox.com/asset-permissions-api/v1/assets/{}/permissions",
asset_id
))
.json(&request.clone().into()))
})
.await;

handle(req).await?;
handle(res).await?;

Ok(())
}
Expand Down
8 changes: 4 additions & 4 deletions mantle/rbx_api/src/asset_permissions/models.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,26 @@ use serde::Serialize;

use crate::models::AssetId;

#[derive(Serialize)]
#[derive(Serialize, Clone)]
#[serde(rename_all = "camelCase")]
pub struct GrantAssetPermissionsRequest {
pub requests: Vec<GrantAssetPermissionsRequestRequest>,
}

#[derive(Serialize)]
#[derive(Serialize, Clone)]
#[serde(rename_all = "camelCase")]
pub struct GrantAssetPermissionsRequestRequest {
pub subject_type: GrantAssetPermissionRequestSubjectType,
pub subject_id: AssetId,
pub action: GrantAssetPermissionRequestAction,
}

#[derive(Serialize)]
#[derive(Serialize, Clone)]
pub enum GrantAssetPermissionRequestSubjectType {
Universe,
}

#[derive(Serialize)]
#[derive(Serialize, Clone)]
pub enum GrantAssetPermissionRequestAction {
Use,
}
Expand Down
Loading
Loading