Pavel Korytov :emacs:☮️ on Nostr: I'm trying to reverse-engineer the login system at #WarOnTheRocks. What I've gathered ...
I'm trying to reverse-engineer the login system at #WarOnTheRocks.
What I've gathered so far:
1. GET https://warontherocks.memberful.com/auth/sign_in, find authenticity_token in the form
2. POST https://warontherocks.memberful.com/auth/email with email and authenticity_token. Get another authenticity_token from the response
3. POST https://warontherocks.memberful.com/auth/sign_in with email, password and the second authenticity token.
The result is an XML; get the URL from the "target" property of the <turbo-stream> tag. The URL looks like http://warontherocks.com/?code=<code>&memberful_endpoint=auth&redirect_to=https://warontherocks.com/
4. s/http/https; GET the url but prevent redirects, because the first 302 will return a Set-Cookie header with a cookie called wordpress_logged_in
5. This cookie can then be used to read paywalled articles
Just... WTF? The admins just have nothing to do with their spare time, and instead of giving subscribers a full-text #RSS, they add pointless steps to the login process?
Thanks for not adding CAPTCHAs at least, like #Substack does.
What I've gathered so far:
1. GET https://warontherocks.memberful.com/auth/sign_in, find authenticity_token in the form
2. POST https://warontherocks.memberful.com/auth/email with email and authenticity_token. Get another authenticity_token from the response
3. POST https://warontherocks.memberful.com/auth/sign_in with email, password and the second authenticity token.
The result is an XML; get the URL from the "target" property of the <turbo-stream> tag. The URL looks like http://warontherocks.com/?code=<code>&memberful_endpoint=auth&redirect_to=https://warontherocks.com/
4. s/http/https; GET the url but prevent redirects, because the first 302 will return a Set-Cookie header with a cookie called wordpress_logged_in
5. This cookie can then be used to read paywalled articles
Just... WTF? The admins just have nothing to do with their spare time, and instead of giving subscribers a full-text #RSS, they add pointless steps to the login process?
Thanks for not adding CAPTCHAs at least, like #Substack does.