Fix auth about prismarine-web-client HOT 26 OPEN

Try it ;)

Also see https://github.com/PrismarineJS/prismarine-auth

from prismarine-web-client.

Add a nice menu for it
Cache the token in local storage

from prismarine-web-client.

Password has been temporarily removed.

However, I think it should still be possible to optionally put a password there (with some warnings), so this works on all servers.

Still important to make this work

In some contexts (for example if you host the proxy yourself), it's completely secure to have the password in the browser

in a public demo context in can be ok with some warnings imo

from prismarine-web-client.

Some more information

yggdrasil:

• /auth
• /join

both of those need to be called in sequence
One option could be to ask the user to run 2 fetch command in a https://authserver.mojang.com/ tab
It's very clunky but it works

Another option is to go through the proxy. We can't simply use net-browserify because yggdrasil uses node fetch which uses https which doesn't use net
Options:

• use a socks5 or https proxy and pass that to yggdrasil : not obvious what package to use to host this, plus it's one more thing to host ; tried : proxy-agent doesn't work in the browser ; https://www.npmjs.com/package/socksv5 is an easy way to run a proxy
• make yggdrasil use net somehow so we can just keep using net-browserify for this too

For microsoft all of this is a bit different but also doesn't solve everything. But anyway most accounts are still yggdrasil

from prismarine-web-client.

doing a completely custom auth proxy is probably the best way in this proxy path

from prismarine-web-client.

https://github.com/Rob--W/cors-anywhere

https://wiki.vg/Protocol_Encryption#Authentication
https://wiki.vg/Authentication

from prismarine-web-client.

#154 works but insecure

idea from circuit10: forge an https request in the browser, send it with websocket, then directly send that request to the mojang server without decrypting
that way the proxy does not see the password

may solve the security issue.

However it does not solve the "this ip looks like a vpn" issue

from prismarine-web-client.

https://bugs.mojang.com/browse/WEB-2776?jql=text%20~%20%22Cors%22

The best solution is for mojang to fix this.
There's a small chance there is some hope if we provide a motivating use case by having pweb-client have some success

from prismarine-web-client.

Hello, would this be any easier now that Microsoft is migrating accounts to their auth?

from prismarine-web-client.

Would it be possible to use OAuth for migrated accounts? It's somewhat more secure as it doesn't give out a password.

from prismarine-web-client.

using microsoft auth is required for some account yes, but it doesn't make things any easier as multiple APIs necessary for the process (eg xboxlive ones) do not return CORS headers

from prismarine-web-client.

What about this? (https://mojang-api-docs.netlify.app/authentication/msa.html)

from prismarine-web-client.

@y2k04 last time we checked there was no way to use it without cors headers but if you want to try, that would be great to hear otherwise

from prismarine-web-client.

Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?

from prismarine-web-client.

yes

from prismarine-web-client.

Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?

You could use Heroku or AWS to host this service?

from prismarine-web-client.

Don’t think hosting is an issue, passing credentials through our servers poses several security issues though

from prismarine-web-client.

Don’t think hosting is an issue, passing credentials through our servers poses several security issues though

Then why not use a handshake protocol? (Comparing values sent by the client to the server and vice versa, and encrypting it with client specific codes which are randomly generated)

from prismarine-web-client.

Not sure I understand, but we can’t implement anything MC server side

from prismarine-web-client.

Not sure I understand, but we can’t implement anything MC server side

Just like the proxy, but we use that to authenticate with Microsoft

from prismarine-web-client.

The way to do authentification is handled by Mojang, we cannot change anything about that

Yes we could setup an auth proxy. It would likely get banned quickly by Mojang but I guess if we want to try i could do it

from prismarine-web-client.

It would likely get banned quickly by Mojang

Probably only if there were a lot of incorrect logon attempts. The proxy can implement its own rate limiting if that's a concern.

from prismarine-web-client.

from prismarine-web-client.

Maybe we could use a browser extension instead of a proxy.
Could be similar to this.

from prismarine-web-client.

if there was a good extension we could at least provide the alternative to the user yes

from prismarine-web-client.

What about this? (It is incredibly easy to create a Azure App Registration, I've already created a Test App to attempt to learn how the auth works 😀)

https://www.npmjs.com/package/@azure/msal-browser

from prismarine-web-client.