Why are you sending an api-hash and api-key to your own server?

[cr4zyfish]

Why are you sending api-hash and api-key to your own server at https://alexell.pro/crypto/x-empire/data/ ?

file: bot.py

    async def get_helper(self) -> dict:
        url = 'https://alexell.pro/crypto/x-empire/data/'
        try:
            json_data = {'data': 'alexell'}
            await self.set_sign_headers(data=json_data)
            response = await self.http_client.post(url, json=json_data)
            if response.status in [200, 400, 401, 403]:
                response_json = await response.json()
                success = response_json.get('success', False)
                if success:
                    return response_json.get('result', {})
                else:
                    log.error(f"{self.session_name} | Get helper error: {response.status} {response_json.get('message', '')}")
                    return {}
        except Exception as error:
            log.error(f"{self.session_name} | Get helper error: {str(error)}")
            return {}

line: await self.set_sign_headers(data=json_data)

[Alexell]

I changed the address and request format several times because I was fighting a bad guy who was stealing my investment data. At some point, I just added the same request signing mechanism that is used for the game, so as not to invent something new. There is nothing about Api-Key, the set_sign_headers function uses Api-Time and Api-Hash. Api-Hash is just a request signature, which is md5(time_json). And on the server I use them for verification:

[cr4zyfish]

Maybe a setting to disable investment is also needed in .env file.

[axeed11]

I changed the address and request format several times because I was fighting a bad guy who was stealing my investment data. At some point, I just added the same request signing mechanism that is used for the game, so as not to invent something new. There is nothing about Api-Key, the set_sign_headers function uses Api-Time and Api-Hash. Api-Hash is just a request signature, which is md5(time_json). And on the server I use them for verification:

ummm but why do u need to store this data on your own site? this seems really suspicious

[Alexell]

@axeed11 What are you talking about? I don't store anything on the site. The Api-Time and Api-Hash headers are only used to sign the request that comes to the script. There is no value in these headers to store them anyway. How did you even come up with this?

[Alexell]

Now you can set INVEST_ENABLED=False in your .env file to disable this functionality. But first, update the bot.