From e756c890417bfe49f2690c6d505bb8611cd9795c Mon Sep 17 00:00:00 2001
From: Wingy <git@wingysam.xyz>
Date: Mon, 7 Aug 2023 16:33:57 -0400
Subject: [PATCH] Fix Remodel shim uploads (#5)

---
 modules/remodel.luau                 | 44 +++++++++++++-------------
 pages/roblox/3-remodel-migration.mdx | 46 +++++++++++++++-------------
 2 files changed, 47 insertions(+), 43 deletions(-)

diff --git a/modules/remodel.luau b/modules/remodel.luau
index 81830d9..0f9c510 100644
--- a/modules/remodel.luau
+++ b/modules/remodel.luau
@@ -125,38 +125,40 @@ local function uploadAssetId(assetId: number, contents: string)
 	-- 1. Try to find the auth cookie for the current user
 	local cookie = getAuthCookieWithFallbacks()
 
-	-- 2. Create request headers in advance, we might re-use them for CSRF challenges
-	local headers = {
+	-- 2. Use a different endpoint to fetch a valid CSRF token
+	local csrfHeaders = {
 		["User-Agent"] = "Roblox/WinInet",
-		["Content-Type"] = "application/octet-stream",
 		Accept = "application/json",
 		Cookie = cookie,
 	}
 
-	-- 3. Create and send a request to the upload url
+	local csrfResponse = net.request({
+		url = `https://auth.roblox.com/`,
+		body = contents,
+		method = "POST",
+		headers = csrfHeaders,
+	})
+
+	local csrfToken = csrfResponse.headers["x-csrf-token"]
+	if csrfToken == nil then error('Failed to fetch CSRF token.') end
+
+	-- 3. Upload the asset to Roblox
+	local uploadHeaders = {
+		["User-Agent"] = "Roblox/WinInet",
+		["Content-Type"] = "application/octet-stream",
+		['X-CSRF-Token'] = csrfToken,
+		Accept = "application/json",
+		Cookie = cookie,
+	}
+
 	local uploadResponse = net.request({
 		url = `https://data.roblox.com/Data/Upload.ashx?assetid={assetId}`,
 		body = contents,
 		method = "POST",
-		headers = headers,
+		headers = uploadHeaders,
 	})
 
-	-- 4. Check if we got a valid response, we might have gotten a CSRF
-	--    challenge and need to send the request with a token included
-	if
-		not uploadResponse.ok
-		and uploadResponse.statusCode == 403
-		and uploadResponse.headers["x-csrf-token"] ~= nil
-	then
-		headers["X-CSRF-Token"] = uploadResponse.headers["x-csrf-token"]
-		uploadResponse = net.request({
-			url = `https://data.roblox.com/Data/Upload.ashx?assetid={assetId}`,
-			body = contents,
-			method = "POST",
-			headers = headers,
-		})
-	end
-
+	-- 4. Make sure it uploaded properly
 	if not uploadResponse.ok then
 		error(
 			string.format(
diff --git a/pages/roblox/3-remodel-migration.mdx b/pages/roblox/3-remodel-migration.mdx
index 189f150..6d24e6a 100644
--- a/pages/roblox/3-remodel-migration.mdx
+++ b/pages/roblox/3-remodel-migration.mdx
@@ -26,9 +26,9 @@ Copy the source below and place it in a file named `remodel.luau`:
 
 local fs = require("@lune/fs")
 local net = require("@lune/net")
+local serde = require("@lune/serde")
 local process = require("@lune/process")
 local roblox = require("@lune/roblox")
-local serde = require("@lune/serde")
 
 export type LuneDataModel = roblox.DataModel
 export type LuneInstance = roblox.Instance
@@ -149,38 +149,40 @@ local function uploadAssetId(assetId: number, contents: string)
 	-- 1. Try to find the auth cookie for the current user
 	local cookie = getAuthCookieWithFallbacks()
 
-	-- 2. Create request headers in advance, we might re-use them for CSRF challenges
-	local headers = {
+	-- 2. Use a different endpoint to fetch a valid CSRF token
+	local csrfHeaders = {
 		["User-Agent"] = "Roblox/WinInet",
-		["Content-Type"] = "application/octet-stream",
 		Accept = "application/json",
 		Cookie = cookie,
 	}
 
-	-- 3. Create and send a request to the upload url
+	local csrfResponse = net.request({
+		url = `https://auth.roblox.com/`,
+		body = contents,
+		method = "POST",
+		headers = csrfHeaders,
+	})
+
+	local csrfToken = csrfResponse.headers["x-csrf-token"]
+	if csrfToken == nil then error('Failed to fetch CSRF token.') end
+
+	-- 3. Upload the asset to Roblox
+	local uploadHeaders = {
+		["User-Agent"] = "Roblox/WinInet",
+		["Content-Type"] = "application/octet-stream",
+		['X-CSRF-Token'] = csrfToken,
+		Accept = "application/json",
+		Cookie = cookie,
+	}
+
 	local uploadResponse = net.request({
 		url = `https://data.roblox.com/Data/Upload.ashx?assetid={assetId}`,
 		body = contents,
 		method = "POST",
-		headers = headers,
+		headers = uploadHeaders,
 	})
 
-	-- 4. Check if we got a valid response, we might have gotten a CSRF
-	--    challenge and need to send the request with a token included
-	if
-		not uploadResponse.ok
-		and uploadResponse.statusCode == 403
-		and uploadResponse.headers["x-csrf-token"] ~= nil
-	then
-		headers["X-CSRF-Token"] = uploadResponse.headers["x-csrf-token"]
-		uploadResponse = net.request({
-			url = `https://data.roblox.com/Data/Upload.ashx?assetid={assetId}`,
-			body = contents,
-			method = "POST",
-			headers = headers,
-		})
-	end
-
+	-- 4. Make sure it uploaded properly
 	if not uploadResponse.ok then
 		error(
 			string.format(