Why not use JSON login?

[TheI1]

I can see that the login function in session.py uses the login API to get the session ID by requesting the entire page.

I was wondering why not just get the JSON response from the login API, which includes the x-token already, the same way the browser does when you login using the box on the top-right?

Also I was curious why you did not not use the "json" and "cookies" parameters for the requests functions instead of setting the data to a json.dumps result and adding cookies to the header?

This is a (working) example of how I implemented this request for one of my personal projects:

request = requests.post(
    "https://scratch.mit.edu/accounts/login/",
    json={
        "username": username,
        "password": password
    },
    headers={
        "x-requested-with": "XMLHttpRequest",
        "referer": "https://scratch.mit.edu/",
        "x-csrftoken": token
    },
    cookies={
        "scratchcsrftoken": token
    }
)

and request.json()[0]["token"] to get the x-token. The session ID can still be obtained the same way through "Set-Cookie".

[TimMcCool]

I didn't use scratch.mit.edu/accounts/login because I couldn't get it to work for some reason. I always get [{'username': '', 'num_tries': 0, 'success': 0, 'msg': '', 'messages': [], 'id': None}] from the API.

[Grisshink]

@TimMcCool Try adding the trailing slash at the end of url like this -> https://scratch.mit.edu/accounts/login/. I learned this myself the hard way and this small thing was the entire cause of this problem

[TimMcCool]

Thanks, I'll try that