`403 forbidden` when uploading to CurseForge, prob due to missing user agent

[ZZZank]

My publish script: https://github.com/ZZZank/ProbeJS-Legacy/blob/main/buildSrc/src/main/kotlin/mod-publish-common.gradle.kts

I got this when trying to upload to CurseForge:

Failed to Upload artifact to CurseForge. Code: 403, Error: Forbidden

To make sure this is not API key issue, I tried manually sending request to CurseForge:

const resp = await fetch("https://minecraft.curseforge.com/api/game/versions", {
  'headers': API_TOKEN
})

require('fs').writeFileSync("./resp.xml", resp.text())
console.log(`${resp.status} ${resp.statusText}`)

Which also gave me 430 Forbidden, and the content of resp.xml is:

Details

<!DOCTYPE html>
<html lang="en-US">
    <head>
        <title>Just a moment...</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <meta http-equiv="X-UA-Compatible" content="IE=Edge">
        <meta name="robots" content="noindex,nofollow">
        <meta name="viewport" content="width=device-width,initial-scale=1">
        <meta http-equiv="content-security-policy"
            content="default-src &#39;none&#39;; script-src &#39;nonce-A48DkSZywstVmNN7624qhc&#39; &#39;unsafe-eval&#39; https://challenges.cloudflare.com; script-src-attr &#39;none&#39;; style-src &#39;unsafe-inline&#39;; img-src &#39;self&#39; https://challenges.cloudflare.com; connect-src &#39;self&#39; https://challenges.cloudflare.com; frame-src &#39;self&#39; https://challenges.cloudflare.com blob:; child-src &#39;self&#39; https://challenges.cloudflare.com blob:; worker-src blob:; form-action http: https:; base-uri &#39;self&#39;">
        <style>removed because too long</style>
        <meta http-equiv="refresh" content="360">
    </head>
    <body>
        <div class="main-wrapper" role="main">
            <div class="main-content">
                <noscript>
                    <div class="h2">
                        <span id="challenge-error-text">Enable JavaScript and cookies to continue</span>
                    </div>
                </noscript>
            </div>
        </div>
        <script nonce="A48DkSZywstVmNN7624qhc">removed because too long</script>
    </body>
</html>

Based on "Enable JavaScript and cookies to continue", I tried adding user agent to the request:

const resp = await fetch("https://minecraft.curseforge.com/api/game/versions", {
  'headers': API_TOKEN,
  'Accept': 'application/json',
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
})

which then properly returns a valid JSON result. So I guess the same applies to MobPublisher. The lack of user agent makes CF API rejects request from Mob Publisher

[hypherionmc]

That error is only thrown by curse when the api key is missing or invalid.

Internally in another library we do send the headers with the user agent.

That being said, CurseForge is currently busy with api changes to the upload api that could've broken it

[ZZZank]

That error is only thrown by curse when the api key is missing or invalid.

That's strange, I sent two request to CF API with the same token, and only the one without user agent got 403 forbidden.

Internally in another library we do send the headers with the user agent.

I see, there's a .setUserAgent("CurseUpload4J") in CurseUpload4J. So what could be the reason of my problem

[hypherionmc]

The only thing I can think of, based on the long output from your .xml file, is that CurseForge was enforcing "bot checks" again which they do from time to time, which basically causes most api calls to fail.

According to my contacts at Curse, 403 is only ever shown for invalid/missing api keys.

My suggestion would be to add a println() in your build.gradle to print out your API key and check if that matches what you expect it to be