CURL error to /json/progress


#1

Hey there everyone, I’m having an issue with a CURL call, in particular a PUT to https://www.wanikani.com/json/progress. If any programmer is listening, this is a question for you!

It seems that anything I’m trying gives back HTTP/1.1 401 Unauthorized; any other call like https://www.wanikani.com/review/queue or https://www.wanikani.com/review/session works (as POSTs).
I tried modifying the payload and I managed to have a “Bad Request”.

This URL sets the review items as done, you specify in the payload the number of errors in both meaning and reading.

Anyone had issues with this particular URL? The response keeps saying {"error":"You need to sign in or sign up before continuing."} even with cookies provided and X-CSRF-Token header set.

It has been a long day, maybe I’m missing something extremely obvious…

Progress:
* Hostname www.wanikani.com was found in DNS cache
*   Trying 54.204.47.4...
* Connected to www.wanikani.com (54.204.47.4) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* 	 subject: OU=Domain Control Validated; OU=EssentialSSL Wildcard; CN=*.wanikani.com
* 	 start date: May 16 00:00:00 2016 GMT
* 	 expire date: Jun 15 23:59:59 2019 GMT
* 	 subjectAltName: www.wanikani.com matched
* 	 issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* 	 SSL certificate verify ok.
> PUT /json/progress HTTP/1.1
Host: www.wanikani.com
Cookie: _wanikani_session=58ca<..>a0a8; remember_user_token=BAhbCFsGaQKp<...>b49510
Origin: https://www.wanikani.com
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,it;q=0.8,ja;q=0.7,es;q=0.6,id;q=0.5,nb;q=0.4,cs;q=0.3,de;q=0.2,fr;q=0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36
Cache-Control: no-cache
Connection: keep-alive
Pragma: no-cache
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: N/bK8rNV3<...>JwYqA==
Content-Length: 24

* upload completely sent off: 24 out of 24 bytes
< HTTP/1.1 401 Unauthorized
< Server: Cowboy
< Date: Mon, 08 Jan 2018 22:26:30 GMT
< Connection: keep-alive
< Content-Type: application/json; charset=utf-8
< Cache-Control: no-cache
< X-Request-Id: b6380aa5-e4ef-4241-9975-dea1ad9173dd
< X-Runtime: 0.003895
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< Vary: Accept-Encoding
< Content-Encoding: gzip
< Transfer-Encoding: chunked
< Via: 1.1 vegur
< 
* Connection #0 to host www.wanikani.com left intact
{"error":"You need to sign in or sign up before continuing."}

#2

I’m able to get it working with the following command-line:

curl 'https://www.wanikani.com/json/progress' \
-X PUT \
-H 'Cookie: _wanikani_session=15d95<...>4d549' \
-H 'X-CSRF-Token: XAjA9<...>U+g==' \
--data '2628[]=0&2628[]=0' \
--compressed \
-v

#3

Hah! The night brought counsel, I was indeed unauthorized because the CSRF Token changed on the call to /review/session (called after the login).

Thank you @rfindley, I managed to take a closer look at the server’s replies after stripping down the request to the bare mininum, like your example.


#4

Heh… just noticed your Sect name.


#5

It was a dark evening, and alone I wasn’t.
A thousand were, it was after nine.
A thousand came and a thousand died.
The deal was sealed, though the sun was nigh.