1

I'm trying to automate a login on a popular website. This website uses Discord oauth.

I have gotten to the stage where I have monitored the requests being made to discord (which contains the sites call-back URL.

However, the issue I am facing is that Discord's authorize button doesn't return the oauth code via requests. Instead when the button is clicked there is some obfuscated JS file which redirects the user to the oauth call-back URL with a generated code.

Unfortunately I do not know of a way to get this code since it cannot be monitored in network tab.

Is there a way I can get around this? For example initializing the JS file (Simulating that I clicked the authorize button in some way or another?)

I know I could use selenium, but selenium isn't great for performance, as well as websites constantly changing UI. Api endpoints are a much better way of doing it.

I'm using python httpx module.

An example login URL for this is: https://discord.com/oauth2/authorize?client_id=896549597550358548&redirect_uri=https://www.monkeebot.xyz/oauth/discord&response_type=code&scope=identify%20guilds

when you click authorize it sends you via a callbackURL to the site on question. The goal is to automate logging in via this link by using python requests only.

jaal kamza
  • 213
  • 4
  • 12
  • You dont need the JS code - just the parameters and GET/POST done to the url by the JS code. Try capturing with a proxy like fiddler and you should see it. Also it will be helpful if you can provide a login URL for us to try. – Deepak Garud Aug 02 '22 at 13:14
  • Hey @DeepakGarud Unfortunately the parameters in the get/post request are generated clientside (I think) by the JS when you click the `authorize` button when signing in with discord oauth. So, without getting this parameter I cannot fake a request. An example website that this can be used on is any website that uses discord oauth. ` https://discord.com/oauth2/authorize?client_id=896549597550358548&redirect_uri=https://www.monkeebot.xyz/oauth/discord&response_type=code&scope=identify%20guilds` – jaal kamza Aug 02 '22 at 20:02
  • https://stackoverflow.com/a/61140905/3233388 – Adelin Aug 05 '22 at 01:21
  • Hey @Adelin Thanks for the response. But unfortunately the `code` is generated when the user clicks `authorize`. The issue I'm having is obtaining the codee which is generated when the authorize button is pressed. Monitoring the requests doesn't exactly help in this case because the code is unique, it changes every time you click `authorize`. And I cannot simulate page clicks using requests. There may be another way around it, but I'm unsure of what this is. – jaal kamza Aug 05 '22 at 01:42
  • What about catching csrf token and other stuff with similar approach to this: https://stackoverflow.com/questions/49012091/aws-cognito-authorization-code-grant-flow-without-using-the-hosted-ui? – JFCorleone Aug 06 '22 at 08:56
  • Are you sure you can't track it in the Network tab of DevTools when using `Preserve log` option? – AlexApps99 Aug 07 '22 at 22:28
  • It will be interesting if you can do this without using a full browser automation. I would suggest using Selenium, https://pypi.org/project/selenium/ – kristianp Aug 07 '22 at 23:25
  • @AlexApps99 Unless I've missed something, then yes I'm sure. – jaal kamza Aug 07 '22 at 23:31
  • I can give you the code to generate {"location": "https://www.monkeebot.xyz/oauth/discord?code=7R5oOGKOXU5S0AWEXo2PojXegJSaYm"}. Would that be OK? This code is different evey time when you hit on authorize button – Sachin Salve Aug 11 '22 at 20:11

1 Answers1

0

I have already done something similar, the OAuth method works by generating a link that if accessed by the client gives him a unique login to the service, so you can just create a requests session that accesses that specific, how to get that link? First of all you need the direct call to the discord api (this format https://discord.com/api/v9/oauth2/authorize?client_id=XXXXXXXXXXXXXXX) you will find it when inspecting the network of a real successful login. The rest should look similar to this:

headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/json", }

def generate_code():
    url = "https://discord.com/api/v9/oauth2/authorize?client_id=XXXXXXXXXXXXXXX"
    payload = json.dumps({"permissions": "0", "authorize": True})
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0",
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/json",
        "Authorization": "XXXXXXXXXXXXXXXXXXXXXXXX",
        "X-Super-Properties": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
        "X-Discord-Locale": "en-US",
        "X-Debug-Options": "bugReporterEnabled",
        "Alt-Used": "discord.com",
        "Cookie": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    }

    response = requests.request("POST", url, headers=headers, data=payload)

    return response.json()
MinorWannaBeDev
  • 46
  • 1
  • 5