Mobile api testing

Author: harryzawg

Roblox/Roblox.Website/Controllers/Internal/BypassController.cs

@@ -48,108 +48,7 @@ namespace Roblox.Website.Controllers
     [MVC.ApiController]
     [MVC.Route("/")]
     public class BypassController : ControllerBase
-    {
-		[HttpGetBypass("/mobileapi/check-app-version")]
-        [HttpPostBypass("/mobileapi/check-app-version")]
-		public MVC.IActionResult MobileCheckAppVer()
-		{
-			return Ok(new
-			{
-				data = new
-				{
-					UpgradeAction = "None"
-				}
-			});
-		}
-		[HttpGetBypass("/device/initialize")]
-        [HttpPostBypass("/device/initialize")]
-        public MVC.IActionResult InitDevice()
-        {
-            return Ok(new
-            {
-                browserTrackerId = 1234567890,
-                appDeviceIdentifier = (string?)null,
-            });
-        }
-        [HttpGetBypass("v2/get-rollout-settings")]
-        public dynamic ChatRollout(string featureNames)
-        {
-            return new
-            {
-                rolloutFeatures = new[]
-                {
-                    new
-                    {
-                        featureName = featureNames,
-                        isRolloutEnabled = true
-                    }
-                }
-            };
-        }
-		[HttpGetBypass("sponsoredpage/list-json")]
-        [HttpGetBypass("mobile-ads/v1/get-ad-details")]
-        [HttpGetBypass("incoming-items/counts")]
-        public dynamic IncomingItems()
-        {
-            return new
-            {
-                success = true
-            };
-        }
-
-		[HttpPostBypass("v1/logout")]
-        [HttpGetBypass("sign-out/v1")]
-        [HttpPostBypass("sign-out/v1")]
-        [HttpGetBypass("game/logout.aspx")]
-        public void Logoutv1w()
-        {
-            using var sessCache = Roblox.Services.ServiceProvider.GetOrCreate<UserSessionsCache>();
-            sessCache.Remove(safeUserSession.sessionId);
-            HttpContext.Response.Cookies.Delete(Middleware.SessionMiddleware.CookieName);
-        }
-		[HttpGetBypass("client/pbe")]
-        [HttpPostBypass("client/pbe")]
-        [HttpGetBypass("mobile/pbe")]
-        public MVC.IActionResult PBE()
-        {
-            return Ok();
-        }
-
-        [HttpGetBypass("v1/enrollments")]
-        [HttpPostBypass("v1/enrollments")]
-        public dynamic Enrollments()
-        {
-            return new
-            {
-                data = new[]
-                {
-                    new
-                    {
-                        SubjectType = "BrowserTracker",
-                        SubjectTargetId = 63713166375,
-                        ExperimentName = "AllUsers.DevelopSplashScreen.GreenStartCreatingButton",
-                        Status = "Inactive",
-                        Variation = (string?)null
-                    }
-                }
-            };
-        }
-
-        [HttpGetBypass("v1/get-enrollments")]
-        [HttpPostBypass("v1/get-enrollments")]
-        public dynamic GetEnrollments()
-        {
-            return Array.Empty<object>();
-        }
-        
-        // implemented cuz client likes to spam this so this might improve network performance?
-        [HttpGetBypass("pe")]
-        [HttpPostBypass("pe")]
-        public dynamic GetPe() 
-        {
-            return Array.Empty<object>();
-        }
-		
+    {	
 		[HttpGet("logout")]
         public MVC.IActionResult Logout()
         {

Roblox/Roblox.Website/Controllers/Internal/Other/Mobile.cs

@@ -0,0 +1,160 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Net.Http;
+using System.Net.Http.Json;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Threading.Tasks;
+using System.Net;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Newtonsoft.Json;
+using Roblox.Exceptions;
+using Roblox.Logging;
+using Roblox.Models.Users;
+using Roblox.Services;
+using Roblox.Services.App.FeatureFlags;
+using Roblox.Website.Middleware;
+using BadRequestException = Roblox.Exceptions.BadRequestException;
+using MVC = Microsoft.AspNetCore.Mvc;
+using Roblox.Services.Exceptions;
+using Roblox.Website.WebsiteModels.Discord;
+using Npgsql;
+using Dapper;
+using Roblox.Dto.Users;
+
+
+namespace Roblox.Website.Controllers 
+{
+    [MVC.ApiController]
+    [MVC.Route("/")]
+    public class MobileShitTesting : ControllerBase 
+    {
+		[HttpGetBypass("/mobileapi/check-app-version")]
+        [HttpPostBypass("/mobileapi/check-app-version")]
+		public MVC.IActionResult MobileCheckAppVer()
+		{
+			return Ok(new
+			{
+				data = new
+				{
+					UpgradeAction = "None"
+				}
+			});
+		}
+		
+		[HttpGetBypass("/device/initialize")]
+        [HttpPostBypass("/device/initialize")]
+        public MVC.IActionResult InitDevice()
+        {
+            return Ok(new
+            {
+                browserTrackerId = 1,
+                appDeviceIdentifier = (string?)null,
+            });
+        }
+		
+		private async Task RateLimitCheck()
+		{
+			var loginKey = "LoginAttemptCountV1:" + GetIP();
+			var attemptCount = (await services.cooldown.GetBucketDataForKey(loginKey, TimeSpan.FromMinutes(10))).ToArray();
+
+			if (!await services.cooldown.TryIncrementBucketCooldown(loginKey, 15, TimeSpan.FromMinutes(10), attemptCount, true))
+			{
+				throw new ForbiddenException(15, "Too many attempts, please wait about 10 minutes before retrying!");
+			}
+		}
+		
+		public class MobileLoginReq
+		{
+			public string username { get; set; }
+			public string password { get; set; }
+		}
+		
+		[HttpPostBypass("mobileapi/login")]
+        public async Task<dynamic> MobileLogin([FromBody] MobileLoginReq request)
+        {
+            FeatureFlags.FeatureCheck(FeatureFlag.LoginEnabled);
+            await RateLimitCheck();
+
+            if (string.IsNullOrEmpty(request.username) || string.IsNullOrEmpty(request.password))
+                throw new BadRequestException(3, "Username and Password are required. Please try again.");
+
+            UserInfo userInfo;
+            try
+            {
+                userInfo = await services.users.GetUserByName(request.username);
+            }
+            catch (RecordNotFoundException)
+            {
+                throw new ForbiddenException(1, "Incorrect username or password. Please try again.");
+            }
+
+            if(await Login(request.username, request.password, userInfo.userId))
+                await CreateSessionAndSetCookie(userInfo.userId);
+
+            var userBalance = await services.economy.GetUserBalance(userInfo.userId);
+
+            return new
+            {
+                Status = "OK",
+                UserInfo = new
+                {
+                    UserName = request.username,
+                    RobuxBalance = userBalance.robux,
+                    TicketsBalance = userBalance.tickets,
+                    IsAnyBuildersClubMember = true,
+                    ThumbnailUrl = $"{Configuration.BaseUrl}/Thumbs/Avatar.ashx?userId={userInfo.userId}",
+                    UserID = userInfo.userId
+                }
+            };
+        }
+		
+		private async Task<bool> Login(string username, string password, long userId)
+		{
+			try
+			{
+				FeatureFlags.FeatureCheck(FeatureFlag.LoginEnabled);
+			}
+			catch (RobloxException)
+			{
+				throw new RobloxException(503, 0, "Login is currently disabled. Please try again later.");
+			}
+			await RateLimitCheck();
+			try
+			{
+				if (!await services.users.VerifyPassword(userId, password))
+					throw new ForbiddenException(1, "Incorrect username or password. Please try again");
+			}
+			catch (RecordNotFoundException)
+			{
+				throw new ForbiddenException(4, "Your account has been locked. Please reset your password to unlock your account.");
+			}
+
+			return true;
+		}
+		
+		private async Task<string> CreateSessionAndSetCookie(long userId)
+		{
+			var sessionCookie = Middleware.SessionMiddleware.CreateJwt(new Middleware.JwtEntry()
+			{
+				sessionId = await services.users.CreateSession(userId),
+				createdAt = DateTimeOffset.Now.ToUnixTimeSeconds(),
+			});
+
+			HttpContext.Response.Cookies.Append(Middleware.SessionMiddleware.CookieName, sessionCookie, new CookieOptions()
+			{
+				Domain = ".{Configuration.BaseUrl}",
+				Secure = false,
+				Expires = DateTimeOffset.Now.Add(TimeSpan.FromDays(364)),
+				IsEssential = true,
+				Path = "/",
+				SameSite = SameSiteMode.Lax,
+			});
+			return sessionCookie;
+		}
+	}
+}	

Roblox/Roblox.Website/Controllers/Internal/Other/Studio.cs

@@ -39,7 +39,7 @@ private async Task RateLimitCheck()
 
 			if (!await services.cooldown.TryIncrementBucketCooldown(loginKey, 15, TimeSpan.FromMinutes(10), attemptCount, true))
 			{
-				throw new ForbiddenException(15, "Too many attempts please wait 10 minutes before trying again.");
+				throw new ForbiddenException(15, "Too many attempts, please wait about 10 minutes before retrying!");
 			}
 		}
 
@@ -157,51 +157,6 @@ public async Task<dynamic> LoginV2()
 			};
 		}
 
-		public class MobileLoginReq
-		{
-			public string username { get; set; }
-			public string password { get; set; }
-		}
-		
-		[HttpPostBypass("mobileapi/login")]
-        public async Task<dynamic> MobileLogin([FromBody] MobileLoginReq request)
-        {
-            FeatureFlags.FeatureCheck(FeatureFlag.LoginEnabled);
-            await RateLimitCheck();
-
-            if (string.IsNullOrEmpty(request.username) || string.IsNullOrEmpty(request.password))
-                throw new BadRequestException(3, "Username and Password are required. Please try again.");
-
-            UserInfo userInfo;
-            try
-            {
-                userInfo = await services.users.GetUserByName(request.username);
-            }
-            catch (RecordNotFoundException)
-            {
-                throw new ForbiddenException(1, "Incorrect username or password. Please try again.");
-            }
-
-            if(await Login(request.username, request.password, userInfo.userId))
-                await CreateSessionAndSetCookie(userInfo.userId);
-
-            var userBalance = await services.economy.GetUserBalance(userInfo.userId);
-
-            return new
-            {
-                Status = "OK",
-                UserInfo = new
-                {
-                    UserName = request.username,
-                    RobuxBalance = userBalance.robux,
-                    TicketsBalance = userBalance.tickets,
-                    IsAnyBuildersClubMember = true,
-                    ThumbnailUrl = $"{Configuration.BaseUrl}/Thumbs/Avatar.ashx?userId={userInfo.userId}",
-                    UserID = userInfo.userId
-                }
-            };
-        }
-		
 		private async Task<bool> Login(string username, string password, long userId)
 		{
 			try