fix: handle AllAnime aaReq token for episode sources#1772
Conversation
AllAnime changed its GraphQL API. Episode source requests now require:
- AES-256-GCM aaReq token in extensions (replaces old AES-256-CTR)
- XOR-derived key instead of SHA256('Xot36i3lK3:v1')
- Decrypt tobeparsed response with same GCM key
- POST fallback removed (AllAnime now requires GET + aaReq)
Uses Node.js crypto module (built-in, no new deps) for GCM operations
since openssl enc does not support AEAD ciphers.
Based on anipy-cli fix: sdaqo/anipy-cli#332
|
I personally don't like the inclusion of a JS runtime as a dependency, as it can lead to ani-cli packages being prone to all of the JS-targetting malware worms, are there no other alternatives? |
|
i had to force this PR on my machice to make it work, it was not finding any media to play |
aren't those only on NPM? (in the same sense of the AUR incident) correct me if I'm wrong tho, I always use --ignore-scripts and minimize deps footprint and avoid adding big/new ones. |
or use deno |
I've used it before on my personal projects, but the matter of my question is about the package manager, how safer is it than other options? what does it do different in regards to the supply chain attacks I mentioned on NPM I know they bundle a bunch of useful tools directly, but looking into the NPM compromises am I missing something? tnx for recommendation anyways, I'm already about 6 months away from js world cause I took the decision of diving into Linux and I am now learning the low level stuff I ignored during years |
|
Thanks for this fix it worked for me. Hey I am a newby here 100% a vibe coder, I was wondering if someone with more experience could explain how they reverse engineered the allanime website to create this app its amazing. I was wondering if its possible to do this basically with any streaming website. |
Theres a reason why i choose I also considered the
|
|
I noticed the The The Also the So it seems like hardcoding is relatively stable for now but these are my findings. |




AllAnime changed its GraphQL API. Episode source requests now require an
AES-256-GCM
aaReqtoken in theextensionsobject and must be sent as GETwith query parameters. POST requests fail with
AA_CRYPTO_MISSING.Changes:
process_response()— Decrypttobeparsedwith AES-256-GCM instead ofAES-256-CTR (openssl
encdoesn't support AEAD, so uses Node.jscrypto)get_episode_url()— Generate dynamicaaReqtoken via the same XOR-derivedkey and include it in the GraphQL extensions; removed dead POST fallback
allanime_key— XOR-derived key from two static secrets (matching theofficial site's build) instead of SHA256(
Xot36i3lK3:v1)The aaReq token is time-bound (5-minute window) and encrypted with AES-256-GCM
using the same key, matching the exact protocol the AllAnime website uses.
No new runtime dependencies — Node.js
cryptois built-in.nodejsadded todependency list in README and dep checker.
Before Fix:
After Fix: