Open rom1504 opened 3 years ago
Add a nice menu for it Cache the token in local storage
Password has been temporarily removed.
However, I think it should still be possible to optionally put a password there (with some warnings), so this works on all servers.
Still important to make this work
In some contexts (for example if you host the proxy yourself), it's completely secure to have the password in the browser
in a public demo context in can be ok with some warnings imo
Some more information
yggdrasil:
both of those need to be called in sequence
One option could be to ask the user to run 2 fetch command in a https://authserver.mojang.com/
tab
It's very clunky but it works
Another option is to go through the proxy. We can't simply use net-browserify because yggdrasil uses node fetch which uses https which doesn't use net Options:
For microsoft all of this is a bit different but also doesn't solve everything. But anyway most accounts are still yggdrasil
doing a completely custom auth proxy is probably the best way in this proxy path
https://github.com/PrismarineJS/prismarine-web-client/pull/154 works but insecure
idea from circuit10: forge an https request in the browser, send it with websocket, then directly send that request to the mojang server without decrypting that way the proxy does not see the password
may solve the security issue.
However it does not solve the "this ip looks like a vpn" issue
https://bugs.mojang.com/browse/WEB-2776?jql=text%20~%20%22Cors%22
The best solution is for mojang to fix this. There's a small chance there is some hope if we provide a motivating use case by having pweb-client have some success
Hello, would this be any easier now that Microsoft is migrating accounts to their auth?
Would it be possible to use OAuth for migrated accounts? It's somewhat more secure as it doesn't give out a password.
using microsoft auth is required for some account yes, but it doesn't make things any easier as multiple APIs necessary for the process (eg xboxlive ones) do not return CORS headers
What about this? (https://mojang-api-docs.netlify.app/authentication/msa.html)
@y2k04 last time we checked there was no way to use it without cors headers but if you want to try, that would be great to hear otherwise
Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?
yes
Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?
You could use Heroku or AWS to host this service?
Don’t think hosting is an issue, passing credentials through our servers poses several security issues though
Don’t think hosting is an issue, passing credentials through our servers poses several security issues though
Then why not use a handshake protocol? (Comparing values sent by the client to the server and vice versa, and encrypting it with client specific codes which are randomly generated)
Not sure I understand, but we can’t implement anything MC server side
Not sure I understand, but we can’t implement anything MC server side
Just like the proxy, but we use that to authenticate with Microsoft
The way to do authentification is handled by Mojang, we cannot change anything about that
Yes we could setup an auth proxy. It would likely get banned quickly by Mojang but I guess if we want to try i could do it
It would likely get banned quickly by Mojang
Probably only if there were a lot of incorrect logon attempts. The proxy can implement its own rate limiting if that's a concern.
I was more thinking of something like what https://github.com/ttalvitie/browservice/ does.
Maybe we could use a browser extension instead of a proxy. Could be similar to this.
if there was a good extension we could at least provide the alternative to the user yes
What about this? (It is incredibly easy to create a Azure App Registration, I've already created a Test App to attempt to learn how the auth works 😀)
Try it ;)
Apparently it doesn't work.