R2Northstar
Broadcast required mod downloadlink
I love it when servers rely on mods that you can't find on Thunderstore. Depends on R2Northstar/NorthstarMods#309 and R2Northstar/NorthstarLauncher#146
Wait, is this just accepting any link by the gameserver as the download source? This could be really bad if a malicious entity makes a server with a "common" required mod (there's barely servers that require extra mods atm but that might chance with this PR) but adds a malicious download link.
It would probably be better if we grab the Thunderstore link of a mod based on its name directly from Thunderstore to prevent linking to malicious sources.
Of course this doesn't prevent malicious mods but that's a separate issue.
Yeah I'd say that trusting a download link that can be easily directly edited by a malicious user is a bad plan
It would probably be better if we grab the Thunderstore link of a mod based on its name directly from Thunderstore to prevent linking to malicious sources.
Get the download link from the mod name and version combined, that's what thunderstore uses to make sure things are unique, so we should probably mimic that behaviour
Just for some clarification:
A thunderstore download link is like this: https://northstar.thunderstore.io/package/download/<team>/<package_name>/<version>/
A thunderstore package page link is like this
https://northstar.thunderstore.io/package/<team>/<package_name>/
Unfortunately, we don't have the package name or team in the mod.json anywhere, at least we don't have anything that we can guarantee matches
We should really start developing an approval mechanism for mods like a web dashboard and the infrastructure
