towerofnix
How to sign in with cookies instead of traditional credentials?
Is there is a possible way to sign in with cookies instead of traditional credentials like @TimMcCool's Python scratchattach?
Well, sort of? All logging in with credentials does is actually provide you with some new cookies, including a fresh session ID to use to interact with Scratch. Successful authentication provides you the scratchsessionsid cookie via the Set-Cookie response header (you can see scratchattach extracting this here).
So, if you have an alternative way of acquiring that session ID without the user's credentials, then yes, you can use it to sign in — after acquiring it you set it as a cookie in your requests, just like normal.
It's important to know that the session ID is still almost as powerful as a user's username and password. It provides "temporary" access to the account (until the session is invalidated, I believe as a result of the user newly signing in themselves), and it's insufficient to change the user's password or password-reset email (both of these require confirming the password, which you won't know, because you only have the session ID). However, it's otherwise just as capable as any login, and can do anything not requiring password confirmation: deleting projects, writing comments or forum posts, following/unfollowing users, etc. You still have to make sure to take responsibility and not let anyone else get access to the session ID, as well as not expect or demand a user to trust it with any server-side code, even open source. (If it's on a server it's impossible for them to verify that the server will handle their session ID with the appropriate care.)
So after I found the code from the scratchattach repository, it gets the cookie to sign in from the username and password to act as the session id. It also allows the user to skip the password with the session id token given by the user.