NOISSUE Provide dummy implementation for the secrets library

2021-09-05 18:23:49 +02:00 · 2021-09-05 18:23:49 +02:00 · 878c4fb810
commit 878c4fb810
parent d644fb2094
7 changed files with 69 additions and 13 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -289,7 +289,10 @@ add_subdirectory(buildconfig)

 if(MultiMC_EMBED_SECRETS)
    add_subdirectory(secrets)
+else()
+    add_subdirectory(notsecrets)
 endif()

+
 # NOTE: this must always be last to appease the CMake deity of quirky install command evaluation order.
 add_subdirectory(launcher)
--- a/launcher/CMakeLists.txt
+++ b/launcher/CMakeLists.txt
@ -949,9 +949,7 @@ install(TARGETS MultiMC
    RUNTIME DESTINATION ${BINARY_DEST_DIR} COMPONENT Runtime
 )

-if(MultiMC_EMBED_SECRETS)
 target_link_libraries(MultiMC_logic secrets)
-endif()

 #### The MultiMC bundle mess! ####
 # Bundle utilities are used to complete the portable packages - they add all the libraries that would otherwise be missing on the target system.
--- a/launcher/minecraft/auth/flows/AuthContext.cpp
+++ b/launcher/minecraft/auth/flows/AuthContext.cpp
@ -18,9 +18,7 @@
 #include "katabasis/Globals.h"
 #include "AuthRequest.h"

-#ifdef EMBED_SECRETS
 #include "Secrets.h"
-#endif

 #include "Env.h"

@ -53,13 +51,18 @@ void AuthContext::finishActivity() {
 }

 void AuthContext::initMSA() {
-#ifdef EMBED_SECRETS
    if(m_oauth2) {
        return;
    }
+
+    auto clientId = Secrets::getMSAClientID('-');
+    if(clientId.isEmpty()) {
+        return;
+    }
+
    Katabasis::OAuth2::Options opts;
    opts.scope = "XboxLive.signin offline_access";
-    opts.clientIdentifier = Secrets::getMSAClientID('-');
+    opts.clientIdentifier = clientId;
    opts.authorizationUrl = "https://login.microsoftonline.com/consumers/oauth2/v2.0/devicecode";
    opts.accessTokenUrl = "https://login.microsoftonline.com/consumers/oauth2/v2.0/token";
    opts.listenerPorts = {28562, 28563, 28564, 28565, 28566};
@ -71,7 +74,6 @@ void AuthContext::initMSA() {
    connect(m_oauth2, &OAuth2::linkingSucceeded, this, &AuthContext::onOAuthLinkingSucceeded);
    connect(m_oauth2, &OAuth2::showVerificationUriAndCode, this, &AuthContext::showVerificationUriAndCode);
    connect(m_oauth2, &OAuth2::activityChanged, this, &AuthContext::onOAuthActivityChanged);
-#endif
 }

 void AuthContext::initMojang() {
--- a/launcher/pages/global/AccountListPage.cpp
+++ b/launcher/pages/global/AccountListPage.cpp
@ -37,6 +37,8 @@
 #include "BuildConfig.h"
 #include <dialogs/MSALoginDialog.h>

+#include "Secrets.h"
+
 AccountListPage::AccountListPage(QWidget *parent)
    : QMainWindow(parent), ui(new Ui::AccountListPage)
 {
@ -70,11 +72,8 @@ AccountListPage::AccountListPage(QWidget *parent)

    updateButtonStates();

-    // Xbox authentication won't work without a client identifier, so disable the button
-    // if the build didn't specify one (GH-4012)
-#ifndef EMBED_SECRETS
-    ui->actionAddMicrosoft->setVisible(false);
-#endif
+    // Xbox authentication won't work without a client identifier, so disable the button if it is missing
+    ui->actionAddMicrosoft->setVisible(Secrets::hasMSAClientID());
 }

 AccountListPage::~AccountListPage()
--- a/notsecrets/CMakeLists.txt
+++ b/notsecrets/CMakeLists.txt
@ -0,0 +1,4 @@
+add_library(secrets STATIC Secrets.cpp Secrets.h)
+target_link_libraries(secrets Qt5::Core)
+target_compile_definitions(secrets PUBLIC -DEMBED_SECRETS)
+target_include_directories(secrets PUBLIC .)
--- a/notsecrets/Secrets.cpp
+++ b/notsecrets/Secrets.cpp
@ -0,0 +1,42 @@
+#include "Secrets.h"
+
+#include <array>
+#include <cstdio>
+
+namespace {
+
+/*
+ * This is the MSA client ID. It is confidential and should not be reused.
+ * You can obtain one for yourself by using azure app registration:
+ * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
+ *
+ * The app registration should:
+ * - Be only for personal accounts.
+ * - Not have any redirect URI.
+ * - Not have any platform.
+ * - Have no credentials.
+ * - No certificates.
+ * - No client secrets.
+ * - Enable 'Live SDK support' for access to XBox APIs.
+ * - Enable 'public client flows' for OAuth2 device flow.
+ *
+ * By putting one in here, you accept the terms and conditions for using the MS Identity Plaform and assume all responsibilities associated with it.
+ * See: https://docs.microsoft.com/en-us/legal/microsoft-identity-platform/terms-of-use
+ *
+ * Above all else, do not impersonate other applications! This includes the Mojang Launcher and MultiMC - your builds are *NOT* MultiMC.
+ *
+ * If you intend to base your own launcher on this code, take care and customize this to obfuscate the client ID, so it cannot be trivially found by casual attackers.
+ */
+
+QString MSAClientID = "";
+}
+
+namespace Secrets {
+bool hasMSAClientID() {
+    return !MSAClientID.isEmpty();
+}
+
+QString getMSAClientID(uint8_t separator) {
+    return MSAClientID;
+}
+}
--- a/notsecrets/Secrets.h
+++ b/notsecrets/Secrets.h
@ -0,0 +1,8 @@
+#pragma once
+#include <QString>
+#include <cstdint>
+
+namespace Secrets {
+bool hasMSAClientID();
+QString getMSAClientID(uint8_t separator);
+}