search

4chan / 4chan-API

Documentation for 4chan's read-only JSON API.
http://www.4chan.org/
1.02k stars 73 forks source link

Consider adding POST API docs in some future #91

Open catamphetamine opened 3 years ago

catamphetamine commented 3 years ago

Something like this: https://gitlab.com/catamphetamine/imageboard/-/blob/master/docs/engines/4chan.md#post-a-comment

Adamantcheese commented 3 years ago

Specifically for logins, here's some relevant info: There's this 4chan_pass= cookie that gets sent with some requests, but I don't know what sets it and it doesn't seem necessary.

POST login parameters: "id", pass ID "pin", pass PIN "long_login", 1 (optional)

"act", "do_login" is not required. When you do login, the following cookies will be set: pass_id=; Path=/; Max-Age=86400; Domain=.4chan.org; SameSite=None; Secure; HttpOnly pass_enabled=1; Path=/; Max-Age=86400; Domain=.4chan.org; SameSite=None; Secure

POST logout parameters: "logout", 1

When you do logout, the following cookies will be set: pass_id=; Path=/; Max-Age=-3600; Domain=.4chan.org; SameSite=None; Secure; HttpOnly pass_enabled=; Path=/; Max-Age=-3600; Domain=.4chan.org; SameSite=None; Secure Note these will automatically expire.

If you get a "another IP is using this" error, some specific cookies will be automatically set: cookies_pass_fail

ccd0 commented 3 years ago

The 4chan_pass= cookie is a remnant of the post deletion password field. There's some Javascript on the page that sets it to a random value if not set yet. It's stored with the post, and it allows you to delete the post from a different IP address. Given 4chan's restrictions on post deletion, it's not very valuable anymore. It is also now used to automatically detect ban evaders if they post with the same cookie from an unbanned IP.

Adamantcheese commented 3 years ago

I should mention also for logins that sys.4chan.org/auth and sys.4channel.org/auth return the same cookies, but a different domain. You can use cookies between the two without issue.

Adamantcheese commented 3 years ago

There is currently a bug in 4chan's backend where the "another IP is using this" error will only ever return cookies with a 4chan.org domain. You can submit posts with sys.4chan.org or sys.4channel.org, but the cookies returned will only ever be for 4chan.org. Since it appears that cookies can and are split across the two sites in other ways, I think that's probably not intended.