Async calls do not correctly pass cookies, resulting in 401 errors

[MetaflameDragon]

Running nearly any async API call which requires any form of authentication (that is, the Auth cookie or similar to be present) results in 401 errors due to the cookie seemingly not being present. Running the same calls synchronously works fine, likewise when attempting to replicate manually via Insomnia.

It looks like it may be related to the fact that ApiClient.ExecAsync doesn't use ApiClient.CookieContainer and doesn't provide it to the RestClient, while ApiClient.Exec does.

---

Example 1:

Running await API.Authentication.GetCurrentUserWithHttpInfoAsync() works fine (doesn't need auth cookies for a first-time login, instead it provides a Set-Cookie header with the Auth cookie). (Side-note, unrelated to this issue: the received data isn't parsed correctly in this case, as the schema doesn't match the "TOTP required" response JSON: { "requiresTwoFactorAuth": [ "totp", "otp" ] } . The endpoint call itself doesn't fail on Auth cookies missing though.)

Running await API.Authentication.Verify2FAAsync(new(totp)) afterwards ends with a 401: Missing Credentials. The VRC API details that this happens when the Auth cookie isn't provided. Replicating the same steps manually in Insomnia works correctly, same as executing this call synchronously (via API.Authentication.Verify2FA()).

Example 2:

After successfully logging in (by running Verify2FA synchronously), running await API.Users.GetUserAsync(userId) leads to the same 401: Missing Credentials error as before.

[ariesclark]

Hi, unfortunately I don't have much background in C#, so I can't really resolve these issues. We use the C# generator, which builds the package based on the specification we've defined.

We patch this generated code to include a cookie store, which is required to maintain the authenticated state. This issue mentions various issues, the 2fa response is hard to structure in an OpenAPI complaint way, since the majority of generators don't support the oneOf keyword as far as I'm aware.

Regardless, the authentication issue seems like it could be resolved by updating the way we patch in the cookie store, and maybe you could give it a try?

[MetaflameDragon]

Once I get around to updating our discord bot (where we're using the API), I'll try to clone the repo and see if I can patch the async methods. I could then hopefully suggest a further fix to the generator script.

[MistressPlague]

ApiClient.cs:448 should be cookies.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, new Uri(baseUrl).Host)); for this to work with non basic-only auth. Might also fix asyncs.

[MistressPlague]

Solved: Line 549 should have this code:

            var cookies = CookieContainer;

            if (options.Cookies != null && options.Cookies.Count > 0)
            {
                foreach (var cookie in options.Cookies)
                {
                    cookies.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, new Uri(baseUrl).Host));
                }
            }

            var clientOptions = new RestClientOptions(baseUrl)
            {
                CookieContainer = cookies,
                ClientCertificates = configuration.ClientCertificates,
                MaxTimeout = configuration.Timeout,
                Proxy = configuration.Proxy,
                UserAgent = configuration.UserAgent
            };

[MistressPlague]

Two bugs fixed with one initial stone, lol

[MistressPlague]

VRChat.API.zip
Here is the fixed source files.