Fix auth

[rom1504]

Apparently it doesn't work.

[rom1504]

Add a nice menu for it Cache the token in local storage

[rom1504]

Password has been temporarily removed.

However, I think it should still be possible to optionally put a password there (with some warnings), so this works on all servers.

Still important to make this work

In some contexts (for example if you host the proxy yourself), it's completely secure to have the password in the browser

in a public demo context in can be ok with some warnings imo

[rom1504]

Some more information

yggdrasil:

• /auth
• /join

both of those need to be called in sequence One option could be to ask the user to run 2 fetch command in a https://authserver.mojang.com/ tab It's very clunky but it works

Another option is to go through the proxy. We can't simply use net-browserify because yggdrasil uses node fetch which uses https which doesn't use net Options:

• use a socks5 or https proxy and pass that to yggdrasil : not obvious what package to use to host this, plus it's one more thing to host ; tried : proxy-agent doesn't work in the browser ; https://www.npmjs.com/package/socksv5 is an easy way to run a proxy
• make yggdrasil use net somehow so we can just keep using net-browserify for this too

For microsoft all of this is a bit different but also doesn't solve everything. But anyway most accounts are still yggdrasil

[rom1504]

doing a completely custom auth proxy is probably the best way in this proxy path

[rom1504]

https://github.com/Rob--W/cors-anywhere

https://wiki.vg/Protocol_Encryption#Authentication https://wiki.vg/Authentication

[rom1504]

https://github.com/PrismarineJS/prismarine-web-client/pull/154 works but insecure

idea from circuit10: forge an https request in the browser, send it with websocket, then directly send that request to the mojang server without decrypting that way the proxy does not see the password

may solve the security issue.

However it does not solve the "this ip looks like a vpn" issue

[rom1504]

https://bugs.mojang.com/browse/WEB-2776?jql=text%20~%20%22Cors%22

The best solution is for mojang to fix this. There's a small chance there is some hope if we provide a motivating use case by having pweb-client have some success

[IlanLuci]

Hello, would this be any easier now that Microsoft is migrating accounts to their auth?

[Pandapip1]

Would it be possible to use OAuth for migrated accounts? It's somewhat more secure as it doesn't give out a password.

[rom1504]

using microsoft auth is required for some account yes, but it doesn't make things any easier as multiple APIs necessary for the process (eg xboxlive ones) do not return CORS headers

[y2k04]

What about this? (https://mojang-api-docs.netlify.app/authentication/msa.html)

[rom1504]

@y2k04 last time we checked there was no way to use it without cors headers but if you want to try, that would be great to hear otherwise

[Pandapip1]

Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?

[rom1504]

yes

[y2k04]

Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?

You could use Heroku or AWS to host this service?

[AwesomestCode]

Don’t think hosting is an issue, passing credentials through our servers poses several security issues though

[y2k04]

Don’t think hosting is an issue, passing credentials through our servers poses several security issues though

Then why not use a handshake protocol? (Comparing values sent by the client to the server and vice versa, and encrypting it with client specific codes which are randomly generated)

[AwesomestCode]

Not sure I understand, but we can’t implement anything MC server side

[y2k04]

Not sure I understand, but we can’t implement anything MC server side

Just like the proxy, but we use that to authenticate with Microsoft

[rom1504]

The way to do authentification is handled by Mojang, we cannot change anything about that

Yes we could setup an auth proxy. It would likely get banned quickly by Mojang but I guess if we want to try i could do it

[Pandapip1]

It would likely get banned quickly by Mojang

Probably only if there were a lot of incorrect logon attempts. The proxy can implement its own rate limiting if that's a concern.

[y2k04]

I was more thinking of something like what https://github.com/ttalvitie/browservice/ does.

[autowert66]

Maybe we could use a browser extension instead of a proxy. Could be similar to this.

[rom1504]

if there was a good extension we could at least provide the alternative to the user yes

[y2k04]

What about this? (It is incredibly easy to create a Azure App Registration, I've already created a Test App to attempt to learn how the auth works 😀)

https://www.npmjs.com/package/@azure/msal-browser

[rom1504]

Try it ;)

Also see https://github.com/PrismarineJS/prismarine-auth