CSRF challenge

src/main.rs

@@ -117,8 +117,9 @@ async fn upload_list(cookie:String,owner:Owner,asset_id_file_map:AssetIDFileMap)
 		let owner=&owner;
 		async move{
 			let mut url=reqwest::Url::parse("https://data.roblox.com/Data/Upload.ashx?json=1&type=Model&genreTypeId=1")?;
+			//url borrow scope
 			{
-				let mut query=url.query_pairs_mut();
+				let mut query=url.query_pairs_mut();//borrow here
 				query.append_pair("assetid",asset_id.to_string().as_str());
 				match owner{
 					Owner::Group(group_id)=>{query.append_pair("groupId",group_id.to_string().as_str());},
@@ -126,10 +127,25 @@ async fn upload_list(cookie:String,owner:Owner,asset_id_file_map:AssetIDFileMap)
 				}
 			}
 			
-			let resp=client.post(url)
+			let body=tokio::fs::read_to_string(file).await?;
+			let mut resp=client.post(url.clone())
 			.header("Cookie",cookie)
-			.body(tokio::fs::read_to_string(file).await?)
+			.body(body.clone())
 			.send().await?;
+
+			//This is called a CSRF challenge apparently
+			if resp.status()==reqwest::StatusCode::FORBIDDEN{
+				if let Some(csrf_token)=resp.headers().get("X-CSRF-Token"){
+					resp=client.post(url)
+					.header("X-CSRF-Token",csrf_token)
+					.header("Cookie",cookie)
+					.body(body)
+					.send().await?;
+				}else{
+					return Err(anyhow::Error::msg("Roblox returned 403 with no CSRF"));
+				}
+			}
+
 			Ok((asset_id,resp.bytes().await?))
 		}
 	})