Initial InstagramBridge private feed - Include CSRF

[Fmstrat]

[HOLD PR]
A bit more research needs to be done to store the full cookie data. Since the urlgen cookie variable is tied to IP, this is not as straight forward as first appeared. The 429 block may have expired during my testing causing false positives with the CSRF token

Purpose
While integration with the new configuration PR (#1343) is required, this takes the first steps to enabling private feeds in the Instagram Bridge.

Caveats
I cannot fully validate this without wider user testing for 429 errors, however in my brief testing it has worked well.

Usage
Until the above integration occurs, users will need to edit the CSRF_TOKEN variable (see here) to match a token they get from Instagram. To get a token, users can view any page on Instagram while logged in and look at the network inspector for any call to a /graphql URL:

[danganhhop]

I followed the instructions and it didn't work
My rss: https://hoptestmoi.herokuapp.com/?action=display&bridge=Instagram&context=Username&u=25025320&media_type=all&format=Html
This is screenshot: https://nimb.ws/SJpDIo

[em92]

[HOLD PR]

It is possible to mark any PR as draft, to deny merging it accidentally.

[JimDog546]

I've been experimenting with this and I still am so I'm not sure if I've found a good solution or how long it will last, but it at least seems to be working. Surprisingly providing the CSRF token doesn't seem to do anything. The only thing that seems to work, at least for me, is the sessionid cookie.

Similar to what you've done, I added a constant with my sessionid near the top, added this within getInstagramJSON:

$header = array('cookie: sessionid=' . self::SESSIONID);

and added $header to the getContents function call:

$data = getContents(self::URI .
                                'graphql/query/?query_hash=' .
                                self::USER_QUERY_HASH .
                                '&variables={"id"%3A"' .
                                $userId .
                                '"%2C"first"%3A10}',$header);

I'm not sure how this affects 429 errors but it at least allows me to view profiles I follow that are not public so it appears to be doing so using my credentials as if I've logged in.

[em92]

Hi, @JimDog546 ! Is your solution with session id is still working?

[em92]

I mean do you meet 429 errors on your private RSS-Bridge instance?

[JimDog546]

@em92 Yes, the session id is still working for me. No more 429 errors, but I did run into one similar issue that I've worked around with caching.

My feed reader (Inoreader) doesn't allow me to specify the update interval and I'm using it against 300+ profiles. After a few days of its very frequent queries, Instagram sent me an e-mail saying they thought my account was compromised and they eventually temporarily blocked my IP address. I shut everything down for a few days to let that clear up and experimented with caching to try to cut down on the amount of requests that actually get sent to Instagram. Surprisingly I was able to make things work simply by adding a CACHE_TIMEOUT to InstagramBridge.php:

const CACHE_TIMEOUT = 43200; // 12 hours

12 hours works for me and my needs so I haven't experimented with any lower values for more frequent updates. I've been running this way (with the session ID cookie and CACHE_TIMEOUT) for at least a month with no issues.

[em92]

Thanks for the report @JimDog546!
I've just added my personal session id with increased cache timeout patch to my public RSS-Bridge instance. Approx 200 profiles, so it should be fine.

[dvikan]

@Fmstrat Any progress here? We need a maintainer for the Instagram bridge. Can you step up?