Skip to content

Releases: cev-api/Token-Protector

Token Protector v1.0.2

21 Jun 14:02
@cev-api cev-api
1.0.2
65d971a

Choose a tag to compare

View all tags
Token Protector v1.0.2 Latest
Latest

v1.0.2

Bootstrap hardening

  • MainMixin - stashAndPassThrough renamed to stashAndPoisonUserArg. Now returns a fake token as the constructor argument. Any mod hooking User.<init> HEAD sees the fake, not the real JWT.
  • UserMixin - uses TokenStash.realAccessToken as source of truth for TokenVault.store() and field poisoning. TokenStash sync now requires the caller to actually hold the real token (accessToken.equals(realAccessToken)). Getter whitelist check tightened via isWhitelistedModAccess.

Authlib rewrite (AuthlibMinecraftClientMixin)

  • Removed the HEAD/RETURN swap pattern (swapToReal/swapToFake) and all spin-race detection counters.
  • Now uses @Redirect on every setRequestProperty("Authorization", ...) call in prepareRequest, get, postInternal.
  • Injects the real JWT directly into the Bearer header value at request time. The accessToken field stays fake at rest permanently.

New mixins

  • YggdrasilAuthenticationServiceMixin - @ModifyArg on createUserApiService and createFriendsService. Replaces tokens passed to authlib service constructors with fakes. Real auth goes through the header @Redirect path instead.
  • ClientHandshakePacketListenerImplMixin - @Redirects User.getProfileId() and User.getAccessToken() in authenticateServer. Pulls real values from TokenVault.getStored() directly, keeping multiplayer join working without public getters returning real data.

Compatibility & 26.2 Support

  • New: MinecraftCompat - reflective getToastManager() for 26.2 (moved onto the gui object). Used everywhere across AlertManager and TokenProtectorMod.
  • TokenVault - new getStored(User) method for direct value retrieval.

OS leak scan improvements

  • shouldFlagEnvironmentVariable(): suppresses path/version/JVM-flag false positives before flagging.
  • looksLikeJwt(): requires 3 segments with 8+ chars each (no longer false-positives on 26.1.2).
  • looksLikeOpenAiKey(): detects sk- prefix.
  • looksLikeCredentialValue(), looksLikePathValue(), looksLikeVersionValue(): new false-positive filters.
  • looksLikeSensitiveKey(): expanded (API_KEY, OPENAI, SECRET, SESSION, JWT, OAUTH).

Build

  • MC 26.1.2 to 26.2, deps bumped (loom 1.17.12, fabric 0.152.2, loader 0.19.3, modmenu 20.0.0).
  • Output JARs use artifactLabel (mc1.21.11 / mc26.x).
  • clean deletes all version build dirs.
  • ConfigScreen: setScreen to setScreenAndShow for 26.2 API.
Assets 4
Loading