prismarine-web-client icon indicating copy to clipboard operation
prismarine-web-client copied to clipboard

Published 20 hours ago verified publisher icon PrismarineJS

Fix auth

Open rom1504 opened this issue 4 years ago • 26 comments

Apparently it doesn't work.

rom1504 avatar Mar 01 '21 19:03 rom1504

Add a nice menu for it Cache the token in local storage

rom1504 avatar Mar 04 '21 11:03 rom1504

Password has been temporarily removed.

However, I think it should still be possible to optionally put a password there (with some warnings), so this works on all servers.

Still important to make this work

In some contexts (for example if you host the proxy yourself), it's completely secure to have the password in the browser

in a public demo context in can be ok with some warnings imo

rom1504 avatar Mar 16 '21 00:03 rom1504

Some more information

yggdrasil:

  • /auth
  • /join

both of those need to be called in sequence One option could be to ask the user to run 2 fetch command in a https://authserver.mojang.com/ tab It's very clunky but it works

Another option is to go through the proxy. We can't simply use net-browserify because yggdrasil uses node fetch which uses https which doesn't use net Options:

  • use a socks5 or https proxy and pass that to yggdrasil : not obvious what package to use to host this, plus it's one more thing to host ; tried : proxy-agent doesn't work in the browser ; https://www.npmjs.com/package/socksv5 is an easy way to run a proxy
  • make yggdrasil use net somehow so we can just keep using net-browserify for this too

For microsoft all of this is a bit different but also doesn't solve everything. But anyway most accounts are still yggdrasil

rom1504 avatar Mar 27 '21 11:03 rom1504

doing a completely custom auth proxy is probably the best way in this proxy path

rom1504 avatar Mar 27 '21 12:03 rom1504

https://github.com/Rob--W/cors-anywhere

https://wiki.vg/Protocol_Encryption#Authentication https://wiki.vg/Authentication

rom1504 avatar Mar 27 '21 12:03 rom1504

https://github.com/PrismarineJS/prismarine-web-client/pull/154 works but insecure

idea from circuit10: forge an https request in the browser, send it with websocket, then directly send that request to the mojang server without decrypting that way the proxy does not see the password

may solve the security issue.

However it does not solve the "this ip looks like a vpn" issue

rom1504 avatar Mar 27 '21 21:03 rom1504

https://bugs.mojang.com/browse/WEB-2776?jql=text%20~%20%22Cors%22

The best solution is for mojang to fix this. There's a small chance there is some hope if we provide a motivating use case by having pweb-client have some success

rom1504 avatar Mar 27 '21 22:03 rom1504

Hello, would this be any easier now that Microsoft is migrating accounts to their auth?

IlanLuci avatar Oct 20 '21 17:10 IlanLuci

Would it be possible to use OAuth for migrated accounts? It's somewhat more secure as it doesn't give out a password.

Pandapip1 avatar Nov 04 '21 15:11 Pandapip1

using microsoft auth is required for some account yes, but it doesn't make things any easier as multiple APIs necessary for the process (eg xboxlive ones) do not return CORS headers

rom1504 avatar Dec 12 '21 16:12 rom1504

What about this? (https://mojang-api-docs.netlify.app/authentication/msa.html)

y2k04 avatar Jan 26 '22 02:01 y2k04

@y2k04 last time we checked there was no way to use it without cors headers but if you want to try, that would be great to hear otherwise

rom1504 avatar Jan 26 '22 08:01 rom1504

Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?

Pandapip1 avatar Jan 26 '22 12:01 Pandapip1

yes

rom1504 avatar Jan 26 '22 13:01 rom1504

Couldn't a https://github.com/Rob--W/cors-anywhere proxy be set up?

You could use Heroku or AWS to host this service?

y2k04 avatar Jan 28 '22 04:01 y2k04

Don’t think hosting is an issue, passing credentials through our servers poses several security issues though

raymondjxu avatar Jan 28 '22 04:01 raymondjxu

Don’t think hosting is an issue, passing credentials through our servers poses several security issues though

Then why not use a handshake protocol? (Comparing values sent by the client to the server and vice versa, and encrypting it with client specific codes which are randomly generated)

y2k04 avatar Jan 28 '22 04:01 y2k04

Not sure I understand, but we can’t implement anything MC server side

raymondjxu avatar Jan 28 '22 05:01 raymondjxu

Not sure I understand, but we can’t implement anything MC server side

Just like the proxy, but we use that to authenticate with Microsoft

y2k04 avatar Jan 28 '22 05:01 y2k04

The way to do authentification is handled by Mojang, we cannot change anything about that

Yes we could setup an auth proxy. It would likely get banned quickly by Mojang but I guess if we want to try i could do it

rom1504 avatar Jan 28 '22 08:01 rom1504

It would likely get banned quickly by Mojang

Probably only if there were a lot of incorrect logon attempts. The proxy can implement its own rate limiting if that's a concern.

Pandapip1 avatar Jan 29 '22 14:01 Pandapip1

I was more thinking of something like what https://github.com/ttalvitie/browservice/ does.

y2k04 avatar Jan 29 '22 22:01 y2k04

Maybe we could use a browser extension instead of a proxy. Could be similar to this.

autowert66 avatar Feb 19 '22 23:02 autowert66

if there was a good extension we could at least provide the alternative to the user yes

rom1504 avatar Feb 20 '22 00:02 rom1504

What about this? (It is incredibly easy to create a Azure App Registration, I've already created a Test App to attempt to learn how the auth works 😀)

https://www.npmjs.com/package/@azure/msal-browser

y2k04 avatar Apr 02 '22 01:04 y2k04

Try it ;)

Also see https://github.com/PrismarineJS/prismarine-auth

rom1504 avatar Apr 02 '22 10:04 rom1504