Embed URL doesn't work in iframe

[KDJDEV]

First of all I just want to say great job with this library! I'm very impressed that you reverse engineered the arkose labs cryptography from that terribly obfuscated code. I semi-gave up myself, but then found this library.

I'm trying to login to Roblox. I've managed to create a session and get a token successfully. Realizing that the blob is one use only, my current solution is to block requests towards the /public_key API so that the blob doesn't get used, and then grab the blob from the page. Is this a good solution?

I'm able to fetch a session embed link like this using the getEmbedURL function:

https://roblox-api.arkoselabs.com/fc/gc/?token=5861779e11e73c646.4949504801&r=us-east-1&meta=3&metabgclr=transparent&metaiconclr=%23757575&maintxtclr=%23b8b8b8&guitextcolor=%23474747&lang=en&pk=476068BF-9607-4799-B53D-966BE98E2B81&at=40&sup=1&rid=12&ag=101&cdn_url=https%3A%2F%2Froblox-api.arkoselabs.com%2Fcdn%2Ffc&lurl=https%3A%2F%2Faudio-us-east-1.arkoselabs.com&surl=https%3A%2F%2Froblox-api.arkoselabs.com&smurl=https%3A%2F%2Froblox-api.arkoselabs.com%2Fcdn%2Ffc%2Fassets%2Fstyle-manager&mbio=true

However, when I try putting that inside of an iframe, the captcha doesn't appear. I'm trying to do this on an about:blank page, though I've also tried it by inserting into the Roblox website. No dice either way.

Additionally, when I try and run getChallenge on the session, I get an error:

C:\Users\KDJ\funcaptcha\node_modules\funcaptcha\lib\session.js:50
        if (data.game_data.gameType == 1) {
                           ^

TypeError: Cannot read properties of undefined (reading 'gameType')

Why is this function not working, since I've successfully created a session?

Here's my full code:

const fun = require("funcaptcha")

fun.getToken({
    pkey: "476068BF-9607-4799-B53D-966BE98E2B81",
    surl: "https://roblox-api.arkoselabs.com",
    data: {
        blob: "<valid blob>"
    },
    headers: {
        "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36',
    },
    site: "https://www.roblox.com",
}).then(async token => {
    let session = new fun.Session(token, { userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' })
    console.log(session)
    console.log(session.getEmbedUrl())
    let challenge = await session.getChallenge() //errors here
    console.log(challenge.gameType)
})

Thanks for your time! Sincerely, KDJ

[noahcoolboy]

Hi!

The embed URL you have provided contains "sup=1". This stands for "suppressed captcha", which means you do not need to solve it. In short, arkose labs is trusting the IP and fingerprint enough as to not give any captcha for you to solve. You can freely use the token, as it is instantly valid, and it does not require you to solve it. As it is suppressed, it is not expected for you to load it (using getChallenge), which makes it error.

This can be checked using 2 easy ways. When the raw token string contains sup=1 Or by using the session.tokenInfo.sup property (and comparing it to 1). As this is quite important, I will be updating the documentation accordingly.

Feel free to close this issue once you have been able to resolve this issue.

[KDJDEV]

Thanks for the response! That is interesting about the "sup" parameter. Indeed, the getChallenge method works when sup != 1.

Even when I do have a request without the "sup=1", and for a request that I know should serve a captcha, the embed URL doesn't work when I put it into an iframe.

https://roblox-api.arkoselabs.com/fc/gc/?token=544177a278812e3a6.7298509601&r=us-east-1&meta=3&metabgclr=transparent&metaiconclr=%23757575&maintxtclr=%23b8b8b8&guitextcolor=%23474747&lang=en&pk=476068BF-9607-4799-B53D-966BE98E2B81&at=40&ag=101&cdn_url=https%3A%2F%2Froblox-api.arkoselabs.com%2Fcdn%2Ffc&lurl=https%3A%2F%2Faudio-us-east-1.arkoselabs.com&surl=https%3A%2F%2Froblox-api.arkoselabs.com&smurl=https%3A%2F%2Froblox-api.arkoselabs.com%2Fcdn%2Ffc%2Fassets%2Fstyle-manager&mbio=true

Additionally, I can't figure out how to login. I've looked at some of your past code, but it must be outdated because I do not see many of the parameters existent on the /v2/login API response anymore. For instance, I don't see this fieldData parameter on the /v2/login error anymore. https://github.com/noahcoolboy/UP2C/blob/693920c024432fdb67d002f7ef558bcd53155619/main.js#L56

One thing I'm not sure how to get is the captchaId. I see it present on the Roblox API docs, but I'm not sure how to get it. I do not see it being returned by this library with the session or the challenge.

Additionally, another thing that confuses me is that when I look at the /v2/login request made when I actually log into roblox.com, I don't see any of this data present in the request body. All I see is a bunch of request headers, such as Rblx-Challenge-Id and Rblx-Challenge-Metadata.

Can you shed any light on this? How should I go about making a request to the /v2/login endpoint to login, let's say given that I get a request with sup=1, so that I shouldn't need to solve the captcha.

Thank you so much again for your time. Sincerely, Kyle

[noahcoolboy]

Hello again.

For learning how to log in with Roblox, I suggest you take a look at the Roblox test code. https://github.com/noahcoolboy/funcaptcha/blob/master/test/roblox.js

UP2C is in fact outdated and no longer maintained. I am unsure however if getEmbedUrl still works as it may very well have been patched.

Captcha ID is specific to Roblox, and unrelated to this library.

[seteri]

@KDJDEV tell me if u find solution for embed not showing. I am trying to show iframe on my own website but its just a white screen and does not load

[adiazma]

I am having the same issue, I thought was the webpage that I am using, but the embedded URL is not working. FYI I don't have sup=1 in my params.

[adiazma]

Also, in some cases the iframe load, but returns this Would be something with the CORS?

[adiazma]

Ok so when the URL expires is when is rendered but, used the first time doesn't work.

[seteri]

Ok so when the URL expires is when is rendered but, used the first time doesn't work.

please tag me if u find something

[Kaiddd]

Having same issue, properly fetches url, not sup, won't work in iframe...