API交互中PHP cURL获取X-CSRF-TOKEN的策略与Python对比

import requests

# 警告：请勿分享此Cookie，分享将导致账户被盗！
cookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|..."

session = requests.Session()
# 设置会话Cookie
session.cookies[".ROBLOSECURITY"] = cookie

# 向授权端点发送POST请求
req = session.post(url="https://auth.roblox.com/")

# 检查并获取X-CSRF-Token
if "X-CSRF-Token" in req.headers:
    session.headers["X-CSRF-Token"] = req.headers["X-CSRF-Token"]
    print("X-CSRF-Token successfully obtained:", session.headers["X-CSRF-Token"])
else:
    print("X-CSRF-Token not found in response headers.")

# 打印响应头以供调试
print("\nPython Response Headers:")
print(req.headers)

{'content-type': 'application/json; charset=utf-8', 'date': '...', 'server': 'Kestrel', 'access-control-expose-headers': 'X-CSRF-TOKEN', 'cache-control': 'no-cache', 'transfer-encoding': 'chunked', 'x-csrf-token': 'the_actual_token_value', ...}

<?php

$curl = curl_init();
$authapi = "https://auth.roblox.com/";
// 警告：请勿分享此Cookie，分享将导致账户被盗！
$authcookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|...";

curl_setopt($curl, CURLOPT_URL, $authapi);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); // 返回传输结果作为字符串
curl_setopt($curl, CURLOPT_HEADER, true);       // 包含响应头在输出中

// 尝试通过HTTPHEADER设置Cookie，并设置Content-Type
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
    "Content-Type: application/json",
    'Cookie: .ROBLOSECURITY=' . $authcookie
));

// 注意：这里没有明确设置CURLOPT_POST为true，默认可能为GET
// CURLOPT_NOBODY设置为0，表示请求体不为空，但并非明确的POST请求
curl_setopt($curl, CURLOPT_NOBODY, 0); // 错误理解：此选项通常用于HEAD请求，获取头部信息而不获取正文

$response = curl_exec($curl);
$header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
$body = substr($response, $header_size);

echo "PHP cURL Initial Attempt Response:\n";
echo $response;
curl_close($curl);

?>

HTTP/1.1 200 OK
content-length: 16
content-type: application/json; charset=utf-8
date: Tue, 12 Dec 2023 16:13:33 GMT
server: Kestrel
cache-control: no-cache
strict-transport-security: max-age=3600
x-frame-options: SAMEORIGIN
roblox-machine-id: ...
x-roblox-region: ...
x-roblox-edge: ...
report-to: ...
nel: ...

{"message":"OK"}

<?php

$authapi = "https://auth.roblox.com/";
// 警告：请勿分享此Cookie，分享将导致账户被盗！
$authcookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|...";

$curl = curl_init($authapi);

curl_setopt_array($curl, [
    CURLOPT_RETURNTRANSFER => true, // 返回传输结果作为字符串
    CURLOPT_HEADER => true,       // 包含响应头在输出中
    CURLOPT_COOKIE => ".ROBLOSECURITY=$authcookie", // 正确设置Cookie
    CURLOPT_POST => true,         // 明确指定为POST请求
    // 可以选择添加Content-Type，但对于此特定API可能不是必需的，因为没有请求体
    // CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
]);

$response = curl_exec($curl);

if (curl_errno($curl)) {
    echo 'cURL Error: ' . curl_error($curl);
} else {
    $header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
    $headers_raw = substr($response, 0, $header_size);
    $body = substr($response, $header_size);

    echo "PHP cURL Corrected Response:\n";
    echo $headers_raw; // 打印原始头部信息
    echo "\nBody: " . $body . "\n";

    // 解析头部以检查X-CSRF-Token
    $headers_array = [];
    foreach (explode("\r\n", $headers_raw) as $i => $line) {
        if ($i === 0) {
            $headers_array['http_code'] = $line;
        } else {
            $parts = explode(': ', $line, 2);
            if (isset($parts[1])) {
                $headers_array[strtolower($parts[0])] = $parts[1];
            }
        }
    }

    if (isset($headers_array['x-csrf-token'])) {
        echo "\nX-CSRF-Token successfully obtained: " . $headers_array['x-csrf-token'] . "\n";
    } else {
        echo "\nX-CSRF-Token not found in response headers.\n";
    }
}

curl_close($curl);

?>