feat(rbx_auth): check csrf token per request

mantle/mantle/src/commands/import.rs

@@ -1,5 +1,7 @@
+use std::sync::Arc;
+
 use rbx_api::{models::AssetId, RobloxApi};
-use rbx_auth::RobloxAuth;
+use rbx_auth::{RobloxCookieStore, RobloxCsrfTokenStore};
 use yansi::Paint;
 
 use rbx_mantle::{
@@ -54,14 +56,15 @@ pub async fn run(project: Option<&str>, environment: Option<&str>, target_id: &s
     };
 
     logger::start_action("Import target:");
-    let roblox_auth = match RobloxAuth::new().await {
-        Ok(v) => v,
+    let cookie_store = match RobloxCookieStore::new() {
+        Ok(v) => Arc::new(v),
         Err(e) => {
             logger::end_action(Paint::red(e));
             return 1;
         }
     };
-    let roblox_api = match RobloxApi::new(roblox_auth) {
+    let csrf_token_store = RobloxCsrfTokenStore::new();
+    let roblox_api = match RobloxApi::new(cookie_store, csrf_token_store) {
         Ok(v) => v,
         Err(e) => {
             logger::end_action(Paint::red(e));

mantle/project-fixtures/light/mantle.yml

@@ -13,6 +13,14 @@ target:
           name: Lightweight Mantle Test
           serverFill:
             reservedSlots: 4
+    badges:
+      myBadge:
+        name: Badge
+        icon: assets/badge-2.png
+    assets:
+      - assets/*
+    thumbnails:
+      - assets/badge-2.png
 
 state:
   remote:

mantle/rbx_api/src/asset_aliases/mod.rs

@@ -18,18 +18,23 @@ impl RobloxApi {
         asset_id: AssetId,
         name: String,
     ) -> RobloxApiResult<()> {
-        let req = self
-            .client
-            .post("https://apis.roblox.com/content-aliases-api/v1/universes/create-alias")
-            .header(header::CONTENT_LENGTH, 0)
-            .query(&[
-                ("universeId", experience_id.to_string().as_str()),
-                ("name", name.as_str()),
-                ("type", "1"),
-                ("targetId", asset_id.to_string().as_str()),
-            ]);
-
-        handle(req).await?;
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .post("https://apis.roblox.com/content-aliases-api/v1/universes/create-alias")
+                    .header(header::CONTENT_LENGTH, 0)
+                    .query(&[
+                        ("universeId", experience_id.to_string().as_str()),
+                        ("name", name.as_str()),
+                        ("type", "1"),
+                        ("targetId", asset_id.to_string().as_str()),
+                    ]))
+            })
+            .await;
+
+        handle(res).await?;
 
         Ok(())
     }
@@ -41,18 +46,23 @@ impl RobloxApi {
         previous_name: String,
         name: String,
     ) -> RobloxApiResult<()> {
-        let req = self
-            .client
-            .post("https://apis.roblox.com/content-aliases-api/v1/universes/update-alias")
-            .query(&[
-                ("universeId", experience_id.to_string().as_str()),
-                ("oldName", previous_name.as_str()),
-                ("name", name.as_str()),
-                ("type", "1"),
-                ("targetId", asset_id.to_string().as_str()),
-            ]);
-
-        handle(req).await?;
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .post("https://apis.roblox.com/content-aliases-api/v1/universes/update-alias")
+                    .query(&[
+                        ("universeId", experience_id.to_string().as_str()),
+                        ("oldName", previous_name.as_str()),
+                        ("name", name.as_str()),
+                        ("type", "1"),
+                        ("targetId", asset_id.to_string().as_str()),
+                    ]))
+            })
+            .await;
+
+        handle(res).await?;
 
         Ok(())
     }
@@ -62,13 +72,18 @@ impl RobloxApi {
         experience_id: AssetId,
         name: String,
     ) -> RobloxApiResult<()> {
-        let req = self
-            .client
-            .post("https://apis.roblox.com/content-aliases-api/v1/universes/delete-alias")
-            .header(header::CONTENT_LENGTH, 0)
-            .query(&[("universeId", &experience_id.to_string()), ("name", &name)]);
-
-        handle(req).await?;
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .post("https://apis.roblox.com/content-aliases-api/v1/universes/delete-alias")
+                    .header(header::CONTENT_LENGTH, 0)
+                    .query(&[("universeId", &experience_id.to_string()), ("name", &name)]))
+            })
+            .await;
+
+        handle(res).await?;
 
         Ok(())
     }
@@ -78,15 +93,20 @@ impl RobloxApi {
         experience_id: AssetId,
         page: u32,
     ) -> RobloxApiResult<ListAssetAliasesResponse> {
-        let req = self
-            .client
-            .get("https://apis.roblox.com/content-aliases-api/v1/universes/get-aliases")
-            .query(&[
-                ("universeId", &experience_id.to_string()),
-                ("page", &page.to_string()),
-            ]);
-
-        handle_as_json(req).await
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .get("https://apis.roblox.com/content-aliases-api/v1/universes/get-aliases")
+                    .query(&[
+                        ("universeId", &experience_id.to_string()),
+                        ("page", &page.to_string()),
+                    ]))
+            })
+            .await;
+
+        handle_as_json(res).await
     }
 
     pub async fn get_all_asset_aliases(

mantle/rbx_api/src/asset_permissions/mod.rs

@@ -11,17 +11,22 @@ impl RobloxApi {
         request: R,
     ) -> RobloxApiResult<()>
     where
-        R: Into<GrantAssetPermissionsRequest>,
+        R: Into<GrantAssetPermissionsRequest> + Clone,
     {
-        let req = self
-            .client
-            .patch(format!(
-                "https://apis.roblox.com/asset-permissions-api/v1/assets/{}/permissions",
-                asset_id
-            ))
-            .json(&request.into());
+        let res = self
+            .csrf_token_store
+            .send_request(|| async {
+                Ok(self
+                    .client
+                    .patch(format!(
+                        "https://apis.roblox.com/asset-permissions-api/v1/assets/{}/permissions",
+                        asset_id
+                    ))
+                    .json(&request.clone().into()))
+            })
+            .await;
 
-        handle(req).await?;
+        handle(res).await?;
 
         Ok(())
     }

mantle/rbx_api/src/asset_permissions/models.rs

@@ -2,26 +2,26 @@ use serde::Serialize;
 
 use crate::models::AssetId;
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct GrantAssetPermissionsRequest {
     pub requests: Vec<GrantAssetPermissionsRequestRequest>,
 }
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct GrantAssetPermissionsRequestRequest {
     pub subject_type: GrantAssetPermissionRequestSubjectType,
     pub subject_id: AssetId,
     pub action: GrantAssetPermissionRequestAction,
 }
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 pub enum GrantAssetPermissionRequestSubjectType {
     Universe,
 }
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 pub enum GrantAssetPermissionRequestAction {
     Use,
 }