Add INSTAGRAM_SESSIONID. This also removes support for passing a sess…

…ionid parameter in the request, so you are no longer able to subscribe to private feeds (unless you self-host RSS Box).
stefansundin · Jan 14, 2021 · 3611a8f · 3611a8f
1 parent 1ab1599
commit 3611a8f
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 15 deletions.
diff --git a/.dockerenv.example b/.dockerenv.example
@@ -6,6 +6,8 @@ REDIS_URL=redis://redis:6379
 
 #VIMEO_ACCESS_TOKEN=
 
+#INSTAGRAM_SESSIONID=
+
 #SOUNDCLOUD_CLIENT_ID=
 
 #TWITCH_CLIENT_ID=

diff --git a/.env.example b/.env.example
@@ -15,6 +15,8 @@ REDIS_URL=redis://localhost:6379/3
 
 #VIMEO_ACCESS_TOKEN=
 
+#INSTAGRAM_SESSIONID=
+
 #SOUNDCLOUD_CLIENT_ID=
 
 #TWITCH_CLIENT_ID=

diff --git a/README.md b/README.md
@@ -56,6 +56,16 @@ Go to the [Google Developer Console](https://console.developers.google.com/), cr
 
 Go to the [Vimeo developer website](https://developer.vimeo.com/apps) and create an app. Then create a personal access token.
 
+#### Instagram
+
+The Instagram support works without a `sessionid`, although it appears that the Instagram rate limits are much higher when one is used.
+
+**I highly recommend that you create a dedicated Instagram account for this. If someone manages to access your sessionid then your account may be compromised!**
+
+Login to [Instagram](https://www.instagram.com/) and then inspect your browser's cookies (this is easiest accomplished via the browser's developer tools) and copy the value of the `sessionid` cookie.
+
+Once you've configured RSS Box, be sure to delete the cookie from the browser to avoid it being accidentally invalidated when you sign out. The `sessionid` should be valid for a long time, but you may have to repeat this procedure if it stops working in the future.
+
 #### Facebook
 
 Facebook was supported in the past, but I have been unable to obtain API access since they locked it down in 2018. Maybe we can rebuild it some day, but using scraping techniques or something. [Discuss here.](https://github.com/stefansundin/rssbox/issues/5)

diff --git a/Vagrantfile b/Vagrantfile
@@ -19,6 +19,7 @@ REDIS_URL=redis://localhost:6379/3
 #TWITTER_ACCESS_TOKEN=
 #GOOGLE_API_KEY=
 #VIMEO_ACCESS_TOKEN=
+#INSTAGRAM_SESSIONID=
 #SOUNDCLOUD_CLIENT_ID=
 #TWITCH_CLIENT_ID=
 #TWITCHTOKEN_CLIENT_ID=

diff --git a/app.json b/app.json
@@ -28,6 +28,10 @@
       "description": "Your Vimeo access token.",
       "required": false
     },
+    "INSTAGRAM_SESSIONID": {
+      "description": "Your Instagram sessionid.",
+      "required": false
+    },
     "SOUNDCLOUD_CLIENT_ID": {
       "description": "Your SoundCloud client id.",
       "required": false

diff --git a/app.rb b/app.rb
@@ -497,16 +497,9 @@
 
   # To find the query_hash, simply use the Instagram website and monitor the network calls.
   # This request in particular is the one that gets the next page when you scroll down on a profile, but we change it to get the first 12 posts instead of the second or third page.
-  options = {
+  response = App::Instagram.get("/graphql/query/", {
     query: { query_hash: "f045d723b6f7f8cc299d62b57abd500a", variables: "{\"id\":\"#{@user_id}\",\"first\":12}"},
-  }
-  if params[:sessionid]
-    # To subscribe to private feeds, see https://github.com/stefansundin/rssbox/issues/21#issuecomment-525130553
-    # Please host the app yourself if you decide to do this, otherwise you will leak your sessionid to me and the privacy of your friends posts.
-    options[:headers] = {"Cookie" => "ig_cb=1; sessionid=#{CGI.escape(params[:sessionid])}"}
-  end
-
-  response = App::Instagram.get("/graphql/query/", options)
+  })
   return [401, "The sessionid expired!"] if params.has_key?(:sessionid) && response.code == 302
   raise(App::InstagramError, response) if !response.success? || !response.json?
   @data = response.json["data"]["user"]
@@ -515,7 +508,7 @@
   type = %w[videos photos].pick(params[:type]) || "posts"
   @data["edge_owner_to_timeline_media"]["edges"].map! do |post|
     if post["node"]["__typename"] == "GraphSidecar"
-      post["nodes"] = App::Instagram.get_post(post["node"]["shortcode"], options)
+      post["nodes"] = App::Instagram.get_post(post["node"]["shortcode"])
     else
       post["nodes"] = [post["node"]]
     end

diff --git a/app/instagram.rb b/app/instagram.rb
@@ -14,11 +14,17 @@ class Instagram < HTTP
     }
     ERROR_CLASS = InstagramError
 
+    if ENV.has_key?("INSTAGRAM_SESSIONID")
+      sessionid = ENV["INSTAGRAM_SESSIONID"]
+      if sessionid.include?(":")
+        sessionid = CGI.escape(sessionid)
+      end
+      HEADERS["Cookie"] += "; sessionid=#{sessionid}"
+    end
+
     @@cache = {}
 
-    def self.get(url, options={headers: {}})
-      options ||= {}
-      options[:headers] ||= {}
+    def self.get(url, options={})
       response = super(url, options)
       if response.code == 403
         raise(InstagramTokenError, response)
@@ -28,15 +34,15 @@ def self.get(url, options={headers: {}})
       response
     end
 
-    def self.get_post(id, opts={})
+    def self.get_post(id)
       return @@cache[id] if @@cache[id]
       value = $redis.get("instagram:#{id}")
       if value
         @@cache[id] = JSON.parse(value)
         return @@cache[id]
       end
 
-      response = get("/p/#{id}/", opts)
+      response = get("/p/#{id}/")
       raise(InstagramError, response) if !response.success? || !response.json
       post = response.json["graphql"]["shortcode_media"]
 

diff --git a/kubernetes/configmap.yml b/kubernetes/configmap.yml
@@ -8,6 +8,7 @@ data:
   # TWITTER_ACCESS_TOKEN: ""
   # GOOGLE_API_KEY: ""
   # VIMEO_ACCESS_TOKEN: ""
+  # INSTAGRAM_SESSIONID: ""
   # SOUNDCLOUD_CLIENT_ID: ""
   # TWITCH_CLIENT_ID: ""
   # TWITCHTOKEN_CLIENT_ID: ""