From a09b6e34a37c0e102ffbd3a814b35db21aed6619 Mon Sep 17 00:00:00 2001
From: itzaname <me@sliving.io>
Date: Wed, 17 Mar 2021 08:46:02 -0400
Subject: [PATCH] csrf token

---
 asset.go | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/asset.go b/asset.go
index fd5e1ff..9990075 100644
--- a/asset.go
+++ b/asset.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 )
 
 type AssetUploadOptions struct {
@@ -57,10 +58,8 @@ func (s *Session) CreateAsset(options *AssetUploadOptions, f io.Reader) (AssetUp
 
 	endpoint.RawQuery = query.Encode()
 
-	req, err := http.NewRequest("POST", endpoint.String(), f)
-	req.Header.Set("user-agent", "Roblox/WinInet")
-	req.Header.Set("content-type", "application/xml")
-	req.Header.Set("accept", "application/json")
+	req, err := http.NewRequest("POST", endpoint.String(), nil)
+	req.Header.Set("user-agent", "Roblox")
 
 	// Perform request
 	resp, err := s.client.Do(req)
@@ -69,6 +68,18 @@ func (s *Session) CreateAsset(options *AssetUploadOptions, f io.Reader) (AssetUp
 	}
 	defer resp.Body.Close()
 
+	if resp.StatusCode == 403 && resp.Header.Get("X-Csrf-Token") != "" {
+		req, err := http.NewRequest("POST", endpoint.String(), f)
+		req.Header.Set("user-agent", "Roblox")
+		req.Header.Set("x-csrf-token", strings.Trim(resp.Header["X-Csrf-Token"][0], " "))
+		// Perform request
+		resp, err = s.client.Do(req)
+		if err != nil {
+			return aresp, err
+		}
+		defer resp.Body.Close()
+	}
+
 	if resp.StatusCode != 200 {
 		return aresp, fmt.Errorf(resp.Status)
 	}