Release v6.0.2

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 ## Unreleased Changes
 
+## [6.0.2](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.2) (February 9, 2021)
+* Fixed `rojo upload` to handle CSRF challenges.
+
+## [6.0.1](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.1) (January 22, 2021)
+* Fixed `rojo upload` requests being rejected by Roblox
+
 ## [6.0.0](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.0) (January 16, 2021)
 * Improved server error messages
     * The server will now keep running in more error cases

Cargo.lock

@@ -1961,7 +1961,7 @@ dependencies = [
 
 [[package]]
 name = "rojo"
-version = "6.0.0"
+version = "6.0.2"
 dependencies = [
  "anyhow",
  "backtrace",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rojo"
-version = "6.0.0"
+version = "6.0.2"
 authors = ["Lucien Greathouse <me@lpghatguy.com>"]
 description = "Enables professional-grade development tools for Roblox developers"
 license = "MPL-2.0"

plugin/src/Config.lua

@@ -5,7 +5,7 @@ local isDevBuild = script.Parent.Parent:FindFirstChild("ROJO_DEV_BUILD") ~= nil
 return strict("Config", {
 	isDevBuild = isDevBuild,
 	codename = "Epiphany",
-	version = {6, 0, 0},
+	version = {6, 0, 2},
 	expectedServerVersionString = "6.0 or newer",
 	protocolVersion = 3,
 	defaultHost = "localhost",

src/change_processor.rs

@@ -9,7 +9,6 @@ use memofs::{IoResultExt, Vfs, VfsEvent};
 use rbx_dom_weak::{RbxId, RbxValue};
 
 use crate::{
-    error::ErrorDisplay,
     message_queue::MessageQueue,
     snapshot::{
         apply_patch_set, compute_patch_set, AppliedPatchSet, InstigatingSource, PatchSet, RojoTree,
@@ -313,7 +312,7 @@ fn compute_and_apply_changes(tree: &mut RojoTree, vfs: &Vfs, id: RbxId) -> Optio
                 apply_patch_set(tree, patch_set)
             }
             Err(err) => {
-                log::error!("Error processing filesystem change: {}", ErrorDisplay(err));
+                log::error!("Error processing filesystem change: {:?}", err);
                 return None;
             }
         },

src/cli/upload.rs

@@ -1,5 +1,8 @@
 use memofs::Vfs;
-use reqwest::header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT};
+use reqwest::{
+    header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT},
+    StatusCode,
+};
 use thiserror::Error;
 
 use crate::{auth_cookie::get_auth_cookie, cli::UploadCommand, serve_session::ServeSession};
@@ -41,25 +44,42 @@ pub fn upload(options: UploadCommand) -> Result<(), anyhow::Error> {
         .property_behavior(rbx_xml::EncodePropertyBehavior::WriteUnknown);
 
     rbx_xml::to_writer(&mut buffer, tree.inner(), &encode_ids, config)?;
+    do_upload(buffer, options.asset_id, &cookie)
+}
 
+fn do_upload(buffer: Vec<u8>, asset_id: u64, cookie: &str) -> anyhow::Result<()> {
     let url = format!(
         "https://data.roblox.com/Data/Upload.ashx?assetid={}",
-        options.asset_id
+        asset_id
     );
 
-    log::trace!("POSTing to {}", url);
     let client = reqwest::Client::new();
-    let mut response = client
-        .post(&url)
-        .header(COOKIE, format!(".ROBLOSECURITY={}", &cookie))
-        .header(USER_AGENT, "Roblox/WinInet")
-        .header("Requester", "Client")
-        .header(CONTENT_TYPE, "application/xml")
-        .header(ACCEPT, "application/json")
-        .body(buffer)
-        .send()?;
 
-    if !response.status().is_success() {
+    let build_request = move || {
+        client
+            .post(&url)
+            .header(COOKIE, format!(".ROBLOSECURITY={}", cookie))
+            .header(USER_AGENT, "Roblox/WinInet")
+            .header(CONTENT_TYPE, "application/xml")
+            .header(ACCEPT, "application/json")
+            .body(buffer.clone())
+    };
+
+    log::debug!("Uploading to Roblox...");
+    let mut response = build_request().send()?;
+
+    // Starting in Feburary, 2021, the upload endpoint performs CSRF challenges.
+    // If we receive an HTTP 403 with a X-CSRF-Token reply, we should retry the
+    // request, echoing the value of that header.
+    if response.status() == StatusCode::FORBIDDEN {
+        if let Some(csrf_token) = response.headers().get("X-CSRF-Token") {
+            log::debug!("Received CSRF challenge, retrying with token...");
+            response = build_request().header("X-CSRF-Token", csrf_token).send()?;
+        }
+    }
+
+    let status = response.status();
+    if !status.is_success() {
         return Err(Error::RobloxApi {
             body: response.text()?,
         }

src/error.rs

@@ -1,18 +0,0 @@
-use std::{error::Error, fmt};
-
-/// Wrapper type to print errors with source-chasing.
-pub struct ErrorDisplay<E>(pub E);
-
-impl<E: Error> fmt::Display for ErrorDisplay<E> {
-    fn fmt(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
-        writeln!(formatter, "{}", self.0)?;
-
-        let mut current_err: &dyn Error = &self.0;
-        while let Some(source) = current_err.source() {
-            writeln!(formatter, "  caused by {}", source)?;
-            current_err = &*source;
-        }
-
-        Ok(())
-    }
-}

src/lib.rs

@@ -9,7 +9,6 @@ mod tree_view;
 
 mod auth_cookie;
 mod change_processor;
-mod error;
 mod glob;
 mod lua_ast;
 mod message_queue;