From 5ac9cdb103519ac320c867f5f3f2f5e008283f90 Mon Sep 17 00:00:00 2001
From: Aaron Manning <contact@aaronmanning.net>
Date: Sun, 17 Nov 2024 15:55:18 +1100
Subject: [PATCH] fix duplicate csrf value bug

letterboxd appears to now send multiple csrf set-cookie headers
one of which is empty. this means that we are now required to
check both of these to make sure we grab the correct one.
---
 src/main.rs | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index b1767be..9d92b83 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -38,26 +38,28 @@ fn main() -> anyhow::Result<()> {
     let args : Args = clap::Parser::parse();
 
     let client = reqwest::blocking::ClientBuilder::new()
-        // CSRF cookies and login cookies must be passed between requests for authentication to
-        // succeed
+        // CSRF cookies and login cookies must be passed between requests for
+        // authentication to succeed
         .cookie_store(true)
         .build()?;
 
     let home_response = client.get("https://letterboxd.com")
+        .header("user-agent", "Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0")
+        .header("accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
         .send()?;
 
     let home_cookies = home_response.headers()
-        .get("set-cookie")
-        .context("did not recieve csrf cookie when making home page request")?
-        .to_str()
-        .context("cookie value could not be read as string")?;
+        .get_all("set-cookie");
 
-    let cookie = cookie::Cookie::parse(home_cookies).context("failed to parse cookie value")?;
-    let csrf = if cookie.name() == "com.xk72.webparts.csrf" {
-        cookie.value()
-    } else {
-        anyhow::bail!("unexpected cookie from home page request")
-    };
+    let mut csrf = None;
+    for cookie in home_cookies {
+        if let Ok(cookie) = cookie.to_str() {
+            let cookie = cookie::Cookie::parse(cookie).context("failed to parse cookie value")?;
+            if cookie.name() == "com.xk72.webparts.csrf" && cookie.value() != "" {
+                csrf = Some(cookie.value().to_owned());
+            }
+        }
+    }
 
     let login = Login {
         username : &match args.username {
@@ -79,7 +81,7 @@ fn main() -> anyhow::Result<()> {
             }
         },
         authentication_code : "",
-        csrf,
+        csrf: &csrf.context("csrf cookie was not found when fetching homepage")?,
     };
 
     let login = serde_urlencoded::to_string(&login)