No 2FA support whatsoever

3arthqu4ke / headlessmc

Minecraft on the command line

https://3arthqu4ke.github.io/headlessmc/

MIT License

142 stars 16 forks source link

No 2FA support whatsoever #90

Closed Alluseri closed 1 month ago

Alluseri commented 10 months ago

Which might be a library issue, but there's also no ability to login through authtoken(or it's highly undocumented).

3arthqu4ke commented 10 months ago

What kinda Authtoken do you mean? The Minecraft one?

Alluseri commented 10 months ago

What kinda Authtoken do you mean? The Minecraft one?

Yeah, that.

3arthqu4ke commented 10 months ago

The account gets stored in HeadlessMC/auth/.account.json:

{
  "type": "msa",
  "name": "3arthqu4ke",
  "id": "<id>",
  "token": "<token>",
  "refreshToken": "<refresh token>",
  "xuid": "<xuid>",
  "clientId": "<clientId>"
}

Alluseri commented 10 months ago

The account gets stored in HeadlessMC/auth/.account.json:

{
  "type": "msa",
  "name": "3arthqu4ke",
  "id": "<id>",
  "token": "<token>",
  "refreshToken": "<refresh token>",
  "xuid": "<xuid>",
  "clientId": "<clientId>"
}

Alright, that will do it, thanks. Issue can be closed if you're not planning to seek a 2FA implementation.

3arthqu4ke commented 10 months ago

Thank you! I will keep it open, but idk when I will get around to do it.

joshuademarco commented 8 months ago

I think as of December 18th 2023, Minecraft has completely moved away from mojang accounts. Funnily, people who have the authenticator app connected to their Microsoft Account actually receive a request to accept the login. Unfortunately, headlessmc throws the error from #91 at the same time the request enters the auth app.

For people reading this and searching for a solution:

Go to your Microsoft Account (which you use to login to minecraft.net)
Make sure the password that you set is strong enough
Completely disable Two-Factor authentication and remove the AuthApp as a login method.

Disclaimer: Disabling Two-Factor is definitively not recommended and potentially puts your Microsoft Account at risk! (Fun Fact: Just noticed that i have daily login requests coming from china on my account)

Also, even after headlessmc manages to log in with your credentials and retrieving the token information, as soon as Two-Factor is reenabled the tokens become invalid again.

3arthqu4ke commented 7 months ago

For now you could also try login with the -webview option, but I can see this could be an issue if you have no screen available. You could login like that on your machine, then take the HeadlessMC/auth/.account.json and copy it onto the machine that you do not have a display for.

From what I have seen up to now, there is not really an API to do 2 factor auth with, to implement it I would need to automate the webview. I could imagine that something like that could be done with a Selenium like framework, e.g. jbrowserdriver.

Alluseri commented 7 months ago

Too bad Microsoft OAuth only allows redirects to localhost(iirc), otherwise it'd be possible to just drop the user the link to OAuth and redirect it back to the server.