Tapping Scrapbox's private project API
I want to organize this as it is not limited to PRIVATE projects.
But since it is linked to from many places, I decided to keep this page alive (2023-08-09).
2018-12-17
The API for public projects can get data by simply GETing it, but doing so in a private project will result in a 401. (No wonder).
When you access a private project while logged in, authentication information is set in a cookie. Use this.
This cookie is Secure and HttpOnly, so it is not known by looking at document.cookie. To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript's Document.cookie API
With Chrome Devtools, you can see it here.
https://gyazo.com/ce08d69ca4712edf038c17fb9f8f2bd2
Specifically, the name "connect.sid" contains authentication information. This can be passed to requests, for example. code:python
cookies={"connect.sid": "..."}
This connect.sid is the one that doesn't expire until 2020 as of 2018, so we can access it for the time being.
We need to be careful because I don't know if there is a way to reset this information if it is inadvertently divulged.
I logged out and logged back in and it was different.
thanks moriyoshi
---
This page is auto-translated from /nishio/ScrapboxのprivateプロジェクトのAPIを叩く using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. I'm very happy to spread my thought to non-Japanese readers.