Http session script

[Nikitkam]

HI!

I'm trying to make a script to log in via HTTP GET/POST requests, but on the second request I always have 403 Forbidden error.

Can you advice me what is wrong with code below

local http = require("socket.http")
local ltn12 = require 'ltn12'
local json = require('json')

local body = {}
local res, code, headers, status = http.request{
  url = "https://passport.yandex.ru/am?app_platform=android",
  sink = ltn12.sink.table(body)
}
local response = table.concat(body)
local set_cookie = headers["set-cookie"]
i,j = string.find(response, 'name="csrf_token" value="')
k,l = string.find(response, '"/><div class="')
local csrf_token=string.sub(response,j,k)
local payload = '{"csrf_token":'.. csrf_token .. ',"login":"marakhouski"}'
local response_body = { }
log(payload)
local res, code, response_headers, status = http.request
    {
        url ="https://passport.yandex.ru/registration-validations/auth/multi_step/start",
        method = "POST",
        headers =
          { cookie = set_cookie,
            ["Content-Type"] = "application/json",
            ["Content-Length"] = payload:len()
            },
        source = ltn12.source.string(payload),
        sink = ltn12.sink.table(response_body)
    }
response = table.concat(response_body)
log(status)



By The way this Code is LUA version of Python Script:


import requests


class YandexAPI:
    quasar_url = "https://iot.quasar.yandex.ru/m/user"
    music_url = "https://api.music.yandex.net"
    session = requests.session()
    csrf_token = None
    music_uid = 0
    login = ""
    password = ""

    def __init__(self, login, password):
        self.login = login
        self.password = password
        self.session.headers.update({
            'User-Agent': 'Chrome',
            'Host': 'passport.yandex.ru'
        })


        resp = self.session.get("https://passport.yandex.ru/am?app_platform=android")
        m = re.search(r'"csrf_token" value="([^"]+)"', resp.text)
        auth_payload = {"csrf_token": m[1]}
        self.csrf_token = m[1]
       
        resp= self.session.post("https://passport.yandex.ru/registration-validations/auth/multi_step/start",
                                data={**auth_payload, "login": login}).json()
       
        auth_payload["track_id"] = resp["track_id"]
        #self.session

        reesp=self.session.post("https://passport.yandex.ru/registration-validations/auth/multi_step/commit_password",
                          {**auth_payload, "password": password,
                          'retpath': "https://passport.yandex.ru/am/finish?status=ok&from=Login"})


Thanks for any upcoming advices!

[Nikitkam]

I have looked trough the topics and Im understanding that I need to parse cookie parameters to next step of http reuqest.
My set-cookie headers for the firs request:

yandexuid=523593141674111623; Max-Age=315360000; Domain=.yandex.ru; Path=/; Expires=Sun, 16 Jan 2033 07:00:23 GMT; Secure, uniqueuid=283273561674111623; Max-Age=315360000; Path=/; Expires=Sun, 16 Jan 2033 07:00:23 GMT; HttpOnly; Secure; SameSite=Lax, lah=; Domain=.passport.yandex.ru; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Secure; HttpOnly; Path=/

[admin]

Try this:

Code:

cookies = '...'
cookies = cookies:gsub('Expires=%w+, ', 'Expires=')
cookies = cookies:split(', ')

for i, cookie in ipairs(cookies) do
  cookies[i] = cookie:split(';')[1]
end

cookies = table.concat(cookies, '; ')

Using script that simulates user interaction with a login page is not a stable solution. The page format and parameters can change at any time and the script will stop working.

[Nikitkam]

Try this:

Code:

cookies = '...'
cookies = cookies:gsub('Expires=%w+, ', 'Expires=')
cookies = cookies:split(', ')

for i, cookie in ipairs(cookies) do
  cookies[i] = cookie:split(';')[1]
end

cookies = table.concat(cookies, '; ')

Using script that simulates user interaction with a login page is not a stable solution. The page format and parameters can change at any time and the script will stop working.

Hi thanks, i need to push this cookies in pos request as cookie property?

[admin]

Yes, you need to set the respective header:

Code:

headers =
  {
    Cookie = cookies,
    ...

There are some other issues with your script:
1. csrf token extraction does not skip the double quotes, it should be like this:

Code:

local csrf_token = string.sub(response,j+1,k-1)

2. request should be done using "application/x-www-form-urlencoded" content type. Data should be encoded using this format, not JSON. See encodepost function here: https://forum.logicmachine.net/showthrea...1#pid27711

[Nikitkam]

Yes, you need to set the respective header:

Code:

headers =
  {
    Cookie = cookies,
    ...

There are some other issues with your script:
1. csrf token extraction does not skip the double quotes, it should be like this:

Code:

local csrf_token = string.sub(response,j+1,k-1)

2. request should be done using "application/x-www-form-urlencoded" content type. Data should be encoded using this format, not JSON. See encodepost function here: https://forum.logicmachine.net/showthrea...1#pid27711

Thanks for your help. I have succeed in the task.