Release v6.0.2

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## Unreleased Changes
 
+## [6.0.2](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.2) (February 9, 2021)
+* Fixed `rojo upload` to handle CSRF challenges.
+
 ## [6.0.1](https://github.com/rojo-rbx/rojo/releases/tag/v6.0.1) (January 22, 2021)
 * Fixed `rojo upload` requests being rejected by Roblox
 

Cargo.lock

@@ -1961,7 +1961,7 @@ dependencies = [
 
 [[package]]
 name = "rojo"
-version = "6.0.1"
+version = "6.0.2"
 dependencies = [
  "anyhow",
  "backtrace",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rojo"
-version = "6.0.1"
+version = "6.0.2"
 authors = ["Lucien Greathouse <me@lpghatguy.com>"]
 description = "Enables professional-grade development tools for Roblox developers"
 license = "MPL-2.0"

plugin/src/Config.lua

@@ -5,7 +5,7 @@ local isDevBuild = script.Parent.Parent:FindFirstChild("ROJO_DEV_BUILD") ~= nil
 return strict("Config", {
 	isDevBuild = isDevBuild,
 	codename = "Epiphany",
-	version = {6, 0, 1},
+	version = {6, 0, 2},
 	expectedServerVersionString = "6.0 or newer",
 	protocolVersion = 3,
 	defaultHost = "localhost",

src/cli/upload.rs

@@ -1,5 +1,8 @@
 use memofs::Vfs;
-use reqwest::header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT};
+use reqwest::{
+    header::{ACCEPT, CONTENT_TYPE, COOKIE, USER_AGENT},
+    StatusCode,
+};
 use thiserror::Error;
 
 use crate::{auth_cookie::get_auth_cookie, cli::UploadCommand, serve_session::ServeSession};
@@ -41,28 +44,42 @@ pub fn upload(options: UploadCommand) -> Result<(), anyhow::Error> {
         .property_behavior(rbx_xml::EncodePropertyBehavior::WriteUnknown);
 
     rbx_xml::to_writer(&mut buffer, tree.inner(), &encode_ids, config)?;
+    do_upload(buffer, options.asset_id, &cookie)
+}
 
+fn do_upload(buffer: Vec<u8>, asset_id: u64, cookie: &str) -> anyhow::Result<()> {
     let url = format!(
         "https://data.roblox.com/Data/Upload.ashx?assetid={}",
-        options.asset_id
+        asset_id
     );
 
-    log::trace!("POSTing to {}", url);
     let client = reqwest::Client::new();
-    let mut response = client
-        .post(&url)
-        .header(COOKIE, format!(".ROBLOSECURITY={}", &cookie))
-        .header(USER_AGENT, "Roblox/WinInet")
-        .header(CONTENT_TYPE, "application/xml")
-        .header(ACCEPT, "application/json")
-        .body(buffer)
-        .send()?;
+
+    let build_request = move || {
+        client
+            .post(&url)
+            .header(COOKIE, format!(".ROBLOSECURITY={}", cookie))
+            .header(USER_AGENT, "Roblox/WinInet")
+            .header(CONTENT_TYPE, "application/xml")
+            .header(ACCEPT, "application/json")
+            .body(buffer.clone())
+    };
+
+    log::debug!("Uploading to Roblox...");
+    let mut response = build_request().send()?;
+
+    // Starting in Feburary, 2021, the upload endpoint performs CSRF challenges.
+    // If we receive an HTTP 403 with a X-CSRF-Token reply, we should retry the
+    // request, echoing the value of that header.
+    if response.status() == StatusCode::FORBIDDEN {
+        if let Some(csrf_token) = response.headers().get("X-CSRF-Token") {
+            log::debug!("Received CSRF challenge, retrying with token...");
+            response = build_request().header("X-CSRF-Token", csrf_token).send()?;
+        }
+    }
 
     let status = response.status();
-
     if !status.is_success() {
-        log::error!("Error uploading, status: {}", status);
-
         return Err(Error::RobloxApi {
             body: response.text()?,
         }