CURL error to /json/progress

Hey there everyone, I’m having an issue with a CURL call, in particular a PUT to WaniKani — Log in. If any programmer is listening, this is a question for you!

It seems that anything I’m trying gives back HTTP/1.1 401 Unauthorized; any other call like WaniKani — Log in or WaniKani — Log in works (as POSTs).
I tried modifying the payload and I managed to have a “Bad Request”.

This URL sets the review items as done, you specify in the payload the number of errors in both meaning and reading.

Anyone had issues with this particular URL? The response keeps saying {"error":"You need to sign in or sign up before continuing."} even with cookies provided and X-CSRF-Token header set.

It has been a long day, maybe I’m missing something extremely obvious…

* Hostname was found in DNS cache
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* 	 subject: OU=Domain Control Validated; OU=EssentialSSL Wildcard; CN=*
* 	 start date: May 16 00:00:00 2016 GMT
* 	 expire date: Jun 15 23:59:59 2019 GMT
* 	 subjectAltName: matched
* 	 issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* 	 SSL certificate verify ok.
> PUT /json/progress HTTP/1.1
Cookie: _wanikani_session=58ca<..>a0a8; remember_user_token=BAhbCFsGaQKp<...>b49510
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,it;q=0.8,ja;q=0.7,es;q=0.6,id;q=0.5,nb;q=0.4,cs;q=0.3,de;q=0.2,fr;q=0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36
Cache-Control: no-cache
Connection: keep-alive
Pragma: no-cache
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: N/bK8rNV3<...>JwYqA==
Content-Length: 24

* upload completely sent off: 24 out of 24 bytes
< HTTP/1.1 401 Unauthorized
< Server: Cowboy
< Date: Mon, 08 Jan 2018 22:26:30 GMT
< Connection: keep-alive
< Content-Type: application/json; charset=utf-8
< Cache-Control: no-cache
< X-Request-Id: b6380aa5-e4ef-4241-9975-dea1ad9173dd
< X-Runtime: 0.003895
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< Vary: Accept-Encoding
< Content-Encoding: gzip
< Transfer-Encoding: chunked
< Via: 1.1 vegur
* Connection #0 to host left intact
{"error":"You need to sign in or sign up before continuing."}

I’m able to get it working with the following command-line:

curl '' \
-X PUT \
-H 'Cookie: _wanikani_session=15d95<...>4d549' \
-H 'X-CSRF-Token: XAjA9<...>U+g==' \
--data '2628[]=0&2628[]=0' \
--compressed \

Hah! The night brought counsel, I was indeed unauthorized because the CSRF Token changed on the call to /review/session (called after the login).

Thank you @rfindley, I managed to take a closer look at the server’s replies after stripping down the request to the bare mininum, like your example.

Heh… just noticed your Sect name.

It was a dark evening, and alone I wasn’t.
A thousand were, it was after nine.
A thousand came and a thousand died.
The deal was sealed, though the sun was nigh.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.