Skip to content

fix: handle AllAnime aaReq token for episode sources#1772

Open
bl33dz wants to merge 2 commits into
pystardust:masterfrom
bl33dz:master
Open

fix: handle AllAnime aaReq token for episode sources#1772
bl33dz wants to merge 2 commits into
pystardust:masterfrom
bl33dz:master

Conversation

@bl33dz

@bl33dz bl33dz commented Jul 8, 2026

Copy link
Copy Markdown

AllAnime changed its GraphQL API. Episode source requests now require an
AES-256-GCM aaReq token in the extensions object and must be sent as GET
with query parameters. POST requests fail with AA_CRYPTO_MISSING.

Changes:

  • process_response() — Decrypt tobeparsed with AES-256-GCM instead of
    AES-256-CTR (openssl enc doesn't support AEAD, so uses Node.js crypto)
  • get_episode_url() — Generate dynamic aaReq token via the same XOR-derived
    key and include it in the GraphQL extensions; removed dead POST fallback
  • allanime_key — XOR-derived key from two static secrets (matching the
    official site's build) instead of SHA256(Xot36i3lK3:v1)

The aaReq token is time-bound (5-minute window) and encrypted with AES-256-GCM
using the same key, matching the exact protocol the AllAnime website uses.

No new runtime dependencies — Node.js crypto is built-in. nodejs added to
dependency list in README and dep checker.

Before Fix:

image

After Fix:

image

bl33dz added 2 commits July 8, 2026 14:08
AllAnime changed its GraphQL API. Episode source requests now require:
- AES-256-GCM aaReq token in extensions (replaces old AES-256-CTR)
- XOR-derived key instead of SHA256('Xot36i3lK3:v1')
- Decrypt tobeparsed response with same GCM key
- POST fallback removed (AllAnime now requires GET + aaReq)

Uses Node.js crypto module (built-in, no new deps) for GCM operations
since openssl enc does not support AEAD ciphers.

Based on anipy-cli fix: sdaqo/anipy-cli#332
@candrapersada

candrapersada commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

but have to install node and doesn't work in deno
but if use deno eval work without node -e
and Yt server missing from ani-cli
and some anime don't have mp4upload as server
image
or
image

@Rikaisan

Rikaisan commented Jul 9, 2026

Copy link
Copy Markdown

I personally don't like the inclusion of a JS runtime as a dependency, as it can lead to ani-cli packages being prone to all of the JS-targetting malware worms, are there no other alternatives?

@guidoaguiar

Copy link
Copy Markdown

i had to force this PR on my machice to make it work, it was not finding any media to play

This was referenced Jul 9, 2026
@skaarl-user

Copy link
Copy Markdown

I personally don't like the inclusion of a JS runtime as a dependency, as it can lead to ani-cli packages being prone to all of the JS-targetting malware worms, are there no other alternatives?

aren't those only on NPM? (in the same sense of the AUR incident)
using just native node.js libs can't bring worms by themselves without a zero day exploit, on Node.js itself, different than supply chain attack when you use npm/bun install deps.

correct me if I'm wrong tho, I always use --ignore-scripts and minimize deps footprint and avoid adding big/new ones.

@candrapersada

Copy link
Copy Markdown
Contributor

I personally don't like the inclusion of a JS runtime as a dependency, as it can lead to ani-cli packages being prone to all of the JS-targetting malware worms, are there no other alternatives?

aren't those only on NPM? (in the same sense of the AUR incident) using just native node.js libs can't bring worms by themselves without a zero day exploit, on Node.js itself, different than supply chain attack when you use npm/bun install deps.

correct me if I'm wrong tho, I always use --ignore-scripts and minimize deps footprint and avoid adding big/new ones.

or use deno

@skaarl-user

Copy link
Copy Markdown

or use deno

I've used it before on my personal projects, but the matter of my question is about the package manager, how safer is it than other options? what does it do different in regards to the supply chain attacks I mentioned on NPM

I know they bundle a bunch of useful tools directly, but looking into the NPM compromises am I missing something?

tnx for recommendation anyways, I'm already about 6 months away from js world cause I took the decision of diving into Linux and I am now learning the low level stuff I ignored during years

@bcain2121

Copy link
Copy Markdown

Thanks for this fix it worked for me.

Hey I am a newby here 100% a vibe coder, I was wondering if someone with more experience could explain how they reverse engineered the allanime website to create this app its amazing. I was wondering if its possible to do this basically with any streaming website.

@bl33dz

bl33dz commented Jul 9, 2026

Copy link
Copy Markdown
Author

but have to install node and doesn't work in deno but if use deno eval work without node -e and Yt server missing from ani-cli and some anime don't have mp4upload as server image or image

I choose to use node because I believe its more familiar to most user.

@bl33dz

bl33dz commented Jul 9, 2026

Copy link
Copy Markdown
Author

I personally don't like the inclusion of a JS runtime as a dependency, as it can lead to ani-cli packages being prone to all of the JS-targetting malware worms, are there no other alternatives?

Theres a reason why i choose node, because crypto is built-in module and requires no npm dependencies. I already tried using python but it would require dependencies like cryptography or pycryptodome.

I also considered the openssl but openssl enc doesn't support AES-GCM for encryption/decryption as stated in OpenSSL Docs: https://docs.openssl.org/3.3/man1/openssl-enc/#supported-ciphers

This command does not support authenticated encryption modes like CCM and GCM, and will not support such modes in the future.

@mbpowers

mbpowers commented Jul 9, 2026

Copy link
Copy Markdown

I noticed the allanime_key, buildId and epoch are hardcoded. In #1774 I was able to scrape these from their scripts.

The mask and partB (XORed to generate the key) changed yesterday though key generated from them remained the same... which is kinda strange

The buildId has already changed to 12 as well but it seems to have no affect what it is set to.

Also the epoch of 4128 hasn't changed I'm not entirely sure what that indicates or if it will change. I would've expected that counts days but. I did try 4129 and 4127 and that causes it to fail though.

So it seems like hardcoding is relatively stable for now but these are my findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants