Release v6.0.2

Implement CSRF challenge support in upload
Release 6.0.1
2026-04-20 20:55:50 +00:00 · 2021-02-09 11:45:58 -05:00 · 2021-02-09 11:36:59 -05:00 · 2021-01-22 13:47:39 -07:00 · 2021-01-22 13:41:55 -07:00 · 2021-01-18 14:54:12 -07:00
8 changed files with 43 additions and 37 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@

 ## Unreleased Changes

+## [6.0.2](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.2) (February 9, 2021)
+* Fixed `rojo upload` to handle CSRF challenges.
+
+## [6.0.1](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.1) (January 22, 2021)
+* Fixed `rojo upload` requests being rejected by Roblox
+
 ## [6.0.0](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.0) (January 16, 2021)
 * Improved server error messages
    * The server will now keep running in more error cases
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1961,7 +1961,7 @@ dependencies = [

 [[package]]
 name = "rojo"
-version = "6.0.0"
+version = "6.0.2"
 dependencies = [
 "anyhow",
 "backtrace",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rojo"
-version = "6.0.0"
+version = "6.0.2"
 authors = ["Lucien Greathouse <me@lpghatguy.com>"]
 description = "Enables professional-grade development tools for Roblox developers"
 license = "MPL-2.0"
--- a/plugin/src/Config.lua
+++ b/plugin/src/Config.lua
@@ -5,7 +5,7 @@ local isDevBuild = script.Parent.Parent:FindFirstChild("ROJO_DEV_BUILD") ~= nil
 return strict("Config", {
 	isDevBuild = isDevBuild,
 	codename = "Epiphany",
-	version = {6, 0, 0},
+	version = {6, 0, 2},
 	expectedServerVersionString = "6.0 or newer",
 	protocolVersion = 3,
 	defaultHost = "localhost",
--- a/src/change_processor.rs
+++ b/src/change_processor.rs
@@ -9,7 +9,6 @@ use memofs::{IoResultExt, Vfs, VfsEvent};
 use rbx_dom_weak::{RbxId, RbxValue};

 use crate::{
-    error::ErrorDisplay,
    message_queue::MessageQueue,
    snapshot::{
        apply_patch_set, compute_patch_set, AppliedPatchSet, InstigatingSource, PatchSet, RojoTree,
@@ -313,7 +312,7 @@ fn compute_and_apply_changes(tree: &mut RojoTree, vfs: &Vfs, id: RbxId) -> Optio
                apply_patch_set(tree, patch_set)
            }
            Err(err) => {
-                log::error!("Error processing filesystem change: {}", ErrorDisplay(err));
+                log::error!("Error processing filesystem change: {:?}", err);
                return None;
            }
        },
--- a/src/cli/upload.rs
+++ b/src/cli/upload.rs
@@ -1,5 +1,8 @@
 use memofs::Vfs;
-use reqwest::header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT};
+use reqwest::{
+    header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT},
+    StatusCode,
+};
 use thiserror::Error;

 use crate::{auth_cookie::get_auth_cookie, cli::UploadCommand, serve_session::ServeSession};
@@ -41,25 +44,42 @@ pub fn upload(options: UploadCommand) -> Result<(), anyhow::Error> {
        .property_behavior(rbx_xml::EncodePropertyBehavior::WriteUnknown);

    rbx_xml::to_writer(&mut buffer, tree.inner(), &encode_ids, config)?;
+    do_upload(buffer, options.asset_id, &cookie)
+}

+fn do_upload(buffer: Vec<u8>, asset_id: u64, cookie: &str) -> anyhow::Result<()> {
    let url = format!(
        "https://data.roblox.com/Data/Upload.ashx?assetid={}",
-        options.asset_id
+        asset_id
    );

-    log::trace!("POSTing to {}", url);
    let client = reqwest::Client::new();
-    let mut response = client
-        .post(&url)
-        .header(COOKIE, format!(".ROBLOSECURITY={}", &cookie))
-        .header(USER_AGENT, "Roblox/WinInet")
-        .header("Requester", "Client")
-        .header(CONTENT_TYPE, "application/xml")
-        .header(ACCEPT, "application/json")
-        .body(buffer)
-        .send()?;

-    if !response.status().is_success() {
+    let build_request = move || {
+        client
+            .post(&url)
+            .header(COOKIE, format!(".ROBLOSECURITY={}", cookie))
+            .header(USER_AGENT, "Roblox/WinInet")
+            .header(CONTENT_TYPE, "application/xml")
+            .header(ACCEPT, "application/json")
+            .body(buffer.clone())
+    };
+
+    log::debug!("Uploading to Roblox...");
+    let mut response = build_request().send()?;
+
+    // Starting in Feburary, 2021, the upload endpoint performs CSRF challenges.
+    // If we receive an HTTP 403 with a X-CSRF-Token reply, we should retry the
+    // request, echoing the value of that header.
+    if response.status() == StatusCode::FORBIDDEN {
+        if let Some(csrf_token) = response.headers().get("X-CSRF-Token") {
+            log::debug!("Received CSRF challenge, retrying with token...");
+            response = build_request().header("X-CSRF-Token", csrf_token).send()?;
+        }
+    }
+
+    let status = response.status();
+    if !status.is_success() {
        return Err(Error::RobloxApi {
            body: response.text()?,
        }
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,18 +0,0 @@
-use std::{error::Error, fmt};
-
-/// Wrapper type to print errors with source-chasing.
-pub struct ErrorDisplay<E>(pub E);
-
-impl<E: Error> fmt::Display for ErrorDisplay<E> {
-    fn fmt(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
-        writeln!(formatter, "{}", self.0)?;
-
-        let mut current_err: &dyn Error = &self.0;
-        while let Some(source) = current_err.source() {
-            writeln!(formatter, "  caused by {}", source)?;
-            current_err = &*source;
-        }
-
-        Ok(())
-    }
-}
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -9,7 +9,6 @@ mod tree_view;

 mod auth_cookie;
 mod change_processor;
-mod error;
 mod glob;
 mod lua_ast;
 mod message_queue;
Author	SHA1	Message	Date
Lucien Greathouse	b84aab0960	Release v6.0.2	2021-02-09 11:45:58 -05:00
Lucien Greathouse	0e89b91c38	Implement CSRF challenge support in upload	2021-02-09 11:36:59 -05:00
Lucien Greathouse	7888a704e1	Release 6.0.1	2021-01-22 13:47:39 -07:00
Lucien Greathouse	804fd3de8e	Remove Requester header to handle API change	2021-01-22 13:41:55 -07:00
Lucien Greathouse	4992c36f08	Delete ErrorDisplay, use anyhow instead!	2021-01-18 14:54:12 -07:00