Open Shecho-py opened 1 month ago
blul1ghtz
commented
2 weeks ago somebody please explain to me how the f*** you get the token. im looking here i pass in my roblosecurity token and NEVER E V E R get a x-bound-auth-token, what is going on here?
Julli4n
commented
1 week ago Sorry, I'm confused on whether you need to get the DB keys from Roblox or generate them yourself because in your code if you can't get them you generate them. Would the x-bound-authentication-token work for authentication apis with the .ROBLOSECURITY cookie if you generated brand new keys, because isn't the whole point to prove that you have the original per-session keys and .ROBLOSECURITY cookie to authenticate?
If the session was created on www.roblox.com, you can only use the keys in the browser the session was created on (due to them being unextractable). Unless you hijack their crypto.subtle.generateKey method and create extractable keys then return new, unextractable keys, there is no way to use them externally.
If you do all the authentication manually, but you do not support the secureAuthenticationIntent params in the authentication endpoints (/v2/login, /v2/signup), or you disable Account session protection (as said below), there is no need to use this module.
blul1ghtz
commented
1 week ago i found that i could make requests without x-bound-authentication-token and only x-csrf by disabling account protection (cannot be reverted) if that helps anybody out
Sorry, I'm confused on whether you need to get the DB keys from Roblox or generate them yourself because in your code if you can't get them you generate them. Would the x-bound-authentication-token work for authentication apis with the .ROBLOSECURITY cookie if you generated brand new keys, because isn't the whole point to prove that you have the original per-session keys and .ROBLOSECURITY cookie to authenticate?