From Reverse Engineering to Production: Weibo Cookie-Free Access in AstrBot Plugins

(edited)

Assisted writing

AI Translation中文 → English

This article has been automatically translated by AI and may contain inaccuracies

AI·GEN

Key Insights

Technical Disclaimer: The content of this article is intended solely for technical research and learning purposes. Any data requests should comply with the target website's robots.txt protocol and terms of service.

Part 1: Protocol Reverse Engineering Analysis

1. Background

While developing a Sky: Children of the Light daily task push plugin, I encountered a tricky problem: the original solution relied on users manually filling in Weibo Cookies (SUB and XSRF-TOKEN), which caused two pain points:

Poor user experience: Regular users don't know how to extract Cookies from their browser
High maintenance cost: Cookies have a short validity period and need to be updated frequently

Directly requesting the Weibo API (e.g., /api/container/getIndex) returns a 432 error, indicating that even in "visitor" mode, the server has a strict session management mechanism.

Technical Goal: Reverse engineer the Weibo H5 visitor authentication protocol to automatically obtain temporary visitor credentials, allowing the plugin to access Weibo data without requiring the user to provide Cookies.

2. Protocol Analysis: Three-Phase Authentication Chain

Through packet capture analysis with Edge DevTools, comparing before and after clearing Cookies, I confirmed that Weibo H5 visitor authentication is a three-phase closed loop involving cross-domain interaction.

2.1 Authentication Architecture Diagram

sequenceDiagram
    autonumber
    participant Client as Client (Script/Browser)
    participant Passport as Auth Service (passport.weibo.cn)
    participant Gateway as App Gateway (m.weibo.cn)

    Note over Client, Gateway: Phase 1: Identity Token Issuance

    Client->>Passport: POST /visitor/genvisitor2
    Passport-->>Client: 200 OK (JSONP Payload)
    note left of Passport: Issue SUB token

    Note over Client, Gateway: Phase 2: Session Initialization

    Client->>Gateway: GET / (Cookie: SUB)
    Gateway-->>Client: 200 OK + Set-Cookie: XSRF-TOKEN
    note left of Gateway: Validate SUB, Issue CSRF Token

    Note over Client, Gateway: Phase 3: API Access

    Client->>Gateway: GET /api/container/getIndex<br/>(Cookie: SUB, XSRF-TOKEN)<br/>(Header: x-xsrf-token)
    Gateway->>Gateway: Validate Double Submit
    Gateway-->>Client: 200 OK (JSON Data)

CodeBlock Loading...

2.2 Phase 1: Identity Token Issuance

Endpoint: POST https://visitor.passport.weibo.cn/visitor/genvisitor2

Key Parameters:

data = {
    'cb': 'visitor_gray_callback',
    'tid': '',
    'new_tid': 'null'
}

CodeBlock Loading...

Technical Challenges:

JSONP response parsing: The response format is visitor_gray_callback({...}) rather than standard JSON, requiring regex extraction
Manual Cookie injection: The server does not issue SUB via Set-Cookie; it must be extracted from the response payload and manually written into the CookieJar

Core Code:

resp = session.post(url, headers=headers, data=data)
match = re.search(r'visitor_gray_callback\((.*)\)', resp.text)
json_data = json.loads(match.group(1))
sub = json_data['data']['sub']
session.cookies.set('SUB', sub, domain='.weibo.cn')

CodeBlock Loading...

2.3 Phase 2: Session Initialization

Endpoint: GET https://m.weibo.cn/

Function: Access the main site with the SUB Cookie to activate the session and obtain the XSRF-TOKEN

Key Points:

Must carry the SUB Cookie obtained in Phase 1
The server issues XSRF-TOKEN via the Set-Cookie response header
XSRF-TOKEN is a short-lived, session-level token

2.4 Phase 3: Protected Resource Access

Security Mechanism: Double Submit Cookie pattern for CSRF defense

Client Requirements:

Cookie level: Carry SUB and XSRF-TOKEN
Header level: Write the value of XSRF-TOKEN into the x-xsrf-token request header

Server-Side Validation:

Header['x-xsrf-token'] == Cookie['XSRF-TOKEN']

CodeBlock Loading...

3. PoC Implementation

Complete proof-of-concept code:

# -*- coding: utf-8 -*-
import requests
import json
import re

class WeiboH5VisitorAuth:
    def __init__(self):
        self.session = requests.Session()
        self._init_headers()
        self.sub = None
        self.xsrf_token = None

    def _init_headers(self):
        """Configure browser fingerprint"""
        headers_base = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
            'sec-ch-ua': '"Chromium";v="142", "Microsoft Edge";v="142"',
            'sec-ch-ua-mobile': '?0',
            'sec-ch-ua-platform': '"Windows"',
            'Accept-Encoding': 'gzip, deflate, br, zstd',
            'dnt': '1',
        }
        self.session.headers.update(headers_base)

    def step1_obtain_identity_token(self):
        """Phase 1: Obtain SUB"""
        url = 'https://visitor.passport.weibo.cn/visitor/genvisitor2'
        headers = {
            'Content-Type': 'application/x-www-form-urlencoded',
            'Origin': 'https://visitor.passport.weibo.cn',
        }
        data = {'cb': 'visitor_gray_callback', 'tid': '', 'new_tid': 'null'}

        resp = self.session.post(url, headers=headers, data=data)
        match = re.search(r'visitor_gray_callback\((.*)\)', resp.text)
        json_data = json.loads(match.group(1))

        if json_data.get('retcode') == 20000000:
            self.sub = json_data['data']['sub']
            self.session.cookies.set('SUB', self.sub, domain='.weibo.cn')
            self.session.cookies.set('SUBP', json_data['data']['subp'], domain='.weibo.cn')

    def step2_initialize_session(self):
        """Phase 2: Obtain XSRF-TOKEN"""
        url = 'https://m.weibo.cn'
        headers = {'Referer': 'https://visitor.passport.weibo.cn/'}

        self.session.get(url, headers=headers)
        self.xsrf_token = self.session.cookies.get('XSRF-TOKEN')

    def step3_access_api(self, container_id):
        """Phase 3: Access API"""
        api_url = 'https://m.weibo.cn/api/container/getIndex'
        params = {'containerid': container_id, 'page': 1, 'count': 10}
        headers = {
            'Accept': 'application/json, text/plain, */*',
            'x-xsrf-token': self.xsrf_token,  # Double Submit
            'Referer': f'https://m.weibo.cn/u/{container_id}'
        }

        resp = self.session.get(api_url, params=params, headers=headers)
        return resp.json()

    def run(self, target_id):
        self.step1_obtain_identity_token()
        self.step2_initialize_session()
        return self.step3_access_api(target_id)

CodeBlock Loading...

Part 2: Engineering Practice - Integration into AstrBot Plugin

4. Real-World Challenges

When integrating the PoC into a production environment, the following challenges were encountered:

API differences: The response format of the mobile API differs from the PC API
Performance optimization: Avoid repeated authentication by reusing sessions
Error handling: Fallback mechanisms for network errors and authentication failures
Data adaptation: HTML tag cleanup and newline preservation

5. Architecture Design

5.1 Dual-Scheme Architecture

A smart fallback mechanism was designed:

class Auth:
    def __init__(self, config):
        self.use_cookie = config.get("cookies", {}).get("enabled", False)
        self._visitor_cookies = {}

    async def init_visitor_auth(self, session):
        """Cookie-free scheme: Initialize visitor authentication"""
        # Implement three-phase authentication
        pass

CodeBlock Loading...

Workflow:

Prioritize using the user-configured Cookie (PC API)
If the Cookie is not configured or has expired, automatically switch to the Cookie-free scheme (mobile API)

5.2 Spider Class Refactoring

class Spider:
    async def fetch(self, page=0):
        # Try the Cookie scheme first
        if self.auth.use_cookie and self.auth._get_cookie():
            try:
                return await self._fetch_with_cookie(page)
            except Exception as e:
                logger.warning(f"Cookie scheme failed: {e}, switching to Cookie-free scheme")

        # Fallback to Cookie-free scheme
        return await self._fetch_without_cookie(page)

CodeBlock Loading...

6. Key Technical Points

6.1 API Response Difference Adaptation

PC API (/ajax/statuses/mymblog):

{
  "ok": 1,
  "data": {
    "list": [{
      "mblogid": "xxx",
      "text_raw": "Plain text",
      "pic_infos": {...}
    }]
  }
}

CodeBlock Loading...

Mobile API (/api/container/getIndex):

{
  "ok": 1,
  "data": {
    "cards": [{
      "card_group": [{
        "mblog": {
          "mid": "xxx",
          "text": "<br />HTML text<br />",
          "pics": [...]
        }
      }]
    }]
  }
}

CodeBlock Loading...

Adaptation Solution:

def _parse_mobile_mblogs(self, data):
    for card in data.get("cards", []):
        for item in card.get("card_group", []):
            mblog = item["mblog"]
            # 1. Convert <br> to newlines
            text_raw = re.sub(r'<br\s*/?>', '\n', mblog.get("text", ""))
            # 2. Strip other HTML tags
            text_raw = re.sub(r'<[^>]+>', '', text_raw).strip()

            self._results.append(Blog(
                mblogid=mblog.get("mid"),
                text_raw=text_raw,
                is_long_text=mblog.get("isLongText", False),
                use_mobile_api=True
            ))

CodeBlock Loading...

6.2 Long Text Retrieval Optimization

Text returned by the mobile API is truncated; a long-text API call is needed:

async def fetch_long_text(self, client, auth):
    if not self.is_long_text:
        return self.text_raw

    if self.use_mobile_api:
        api = "https://m.weibo.cn/statuses/extend"
    else:
        api = "https://weibo.com/ajax/statuses/longtext"

    response = await client.get(api, params={"id": self.mblogid})
    long_text = response.json()["data"]["longTextContent"]

    # Clean HTML and preserve newlines
    long_text = re.sub(r'<br\s*/?>', '\n', long_text)
    return re.sub(r'<[^>]+>', '', long_text).strip()

CodeBlock Loading...

6.3 Performance Optimization: Session Reuse

Problem: Each data source requires visitor authentication, resulting in too many requests

Before optimization (2 data sources):

Data source 1: 1 auth + 1 list + 1 long-text auth + 1 long-text = 4 requests
Data source 2: 1 auth + 1 list + 1 long-text auth + 1 long-text = 4 requests
Total: 8 requests, 4 authentications

Optimization Solution:

class Spider:
    def __init__(self):
        self._client = None  # Save client reference

    async def _fetch_without_cookie(self, page):
        self._client = httpx.AsyncClient()
        await self.auth.init_visitor_auth(self._client)
        # Fetch list...
        return self  # Keep client open

# In SkyDaily.get_daily_data
try:
    await spider.fetch()
    blog = spider.filter_by_regex(pattern).one()

    # Reuse spider's client to fetch long text
    if spider._client:
        text = await blog.fetch_long_text(spider._client, auth=auth)
finally:
    # Ensure client is closed
    if spider._client:
        await spider._client.aclose()

CodeBlock Loading...

After optimization (2 data sources):

Data source 1: 1 auth + 1 list + 1 long-text (reused client) = 3 requests
Data source 2: 1 auth + 1 list + 1 long-text (reused client) = 3 requests
Total: 6 requests, 2 authentications

6.4 Regex Adaptation

Problem: After stripping HTML from the mobile API, the format of supertopic tags changes, causing regex matching to fail

Original HTML:

<span class="surl-text">sky光遇超话</span> 11.22 | 每日任务

CodeBlock Loading...

After cleanup:

sky光遇超话 11.22 | 每日任务

CodeBlock Loading...

Solution: Modify the regex from relying on a specific format to keyword matching

# Old regex (relies on # tags)
pattern = r"^#[^#]*光遇[^#]*超话]#\s*\d{1,2}\.\d{1,2}\s*"

# New regex (keyword matching)
pattern = r".*sky光遇.*每日任务.*"

CodeBlock Loading...

7. Configuration Design

{
  "cookies": {
    "enabled": false,
    "sub": "",
    "xsrf_token": ""
  },
  "data_sources": [
    "7360748659:.*sky光遇.*每日任务.*:今天游离翻车了吗",
    "5539106873:^【国服·每日任务攻略】:陈陈努力不鸽"
  ]
}

CodeBlock Loading...

Logic:

cookies.enabled = true and Cookie is filled in → Use PC API
cookies.enabled = false or Cookie is empty → Automatically use the Cookie-free scheme

8. Error Handling

async def fetch(self, page=0, max_attempts=3, retry_delay=2):
    for attempt in range(max_attempts):
        try:
            # Attempt to fetch data
            pass
        except (httpx.HTTPStatusError, httpx.TimeoutException) as e:
            if attempt < max_attempts - 1:
                logger.warning(f"Request failed, retrying in {retry_delay} seconds...")
                await asyncio.sleep(retry_delay)
                continue
            else:
                raise
        finally:
            # Ensure resources are cleaned up
            if self._client:
                await self._client.aclose()

CodeBlock Loading...

9. Results

Before optimization:

Users needed to manually fill in Cookies
Plugin stopped working after Cookie expiration
Only PC API was supported

After optimization:

Zero-configuration, ready to use out of the box
Automatically obtains temporary visitor credentials
Dual-scheme automatic switching
25% performance improvement (2 fewer authentication requests)

Log Example:

[INFO] Using Cookie-free scheme to fetch Weibo data
[INFO] Visitor authentication initialized successfully
[INFO] Retrieved 1 post from today's source
[INFO] Today's server strategy query complete, successfully fetched 2/2 data sources

CodeBlock Loading...

Summary

Key Takeaways

JSONP response handling: Use regex to extract JSON and manually inject Cookies
Double Submit CSRF: Read the token from the Cookie and write it into the Header
Session reuse: Avoid repeated authentication to reduce network requests
HTML cleanup: Preserve newlines to improve text readability
Error handling: Implement retry mechanisms and graceful degradation

Applicable Scenarios

This solution is suitable for:

Automation tools that need to access public Weibo data
Applications that don't want users to manually provide Cookies
Crawler services that need to run stably over the long term

Notes

Comply with protocols: Strictly follow robots.txt and terms of service
Rate limiting: Avoid high-frequency requests that trigger risk control
User-Agent: Use a real browser fingerprint
Error handling: Implement proper exception catching and fallback strategies

References

Project Repository: GitHub - Sky Daily Plugin

The complete code for this article has been open-sourced. Stars and PRs are welcome. If you have any questions, please open an Issue for discussion.