top | item 23559575

(no title)

This is brilliant work, I'm hoping in part II we get to see it working against the API.

I reverse engineered this in a production environment. It took approximately 7 months to build a scalable solution.

The investigation on how to create the x-snapchat-client-auth token is brilliant. One day I hope to do a talk on what my old team did to circumvent it.

There's a painful gotcha on the homestretch for this token: You may be creating the token, but it's not obvious what you're supposed to be using the method to sign.

What do they use it for? As far as I could tell, it's so they can verify requests at the edge nodes of their network. When you provide a bad x-snapchat-client-auth, you get a near-instant 403.

discuss

bluesign|5 years ago

I think edge node is just checking if x-snapchat-client-auth valid, without checking if x-snapchat-client-auth is valid for this request. The second check is probably done at deeper level.

krankthat|5 years ago

I'd be fascinated to read about your old team's work!