Skip to content

Releases: cev-api/Token-Protector

Token Protector v1.0.3

Choose a tag to compare

@cev-api cev-api released this 14 Jul 10:39

Runtime hardening and compatibility

  • Removed the public mutable TokenStash token holder and unused plaintext SafeUser copy.
  • Removed the access token from public-facing TokenVault data; redirected authentication reads it from an internal holder.
  • Retained the requested whitelist behaviour for trusted applications.
  • Disabled the NONE replacement mode for access-token and session-ID protection, and normalize existing credential settings to fake values.
  • Made critical authentication redirects required so a missing target fails loudly instead of silently leaving a gap.
  • Split authlib request mixins by supported Minecraft/authlib versions, fixing the authlib 9 / Minecraft 26.2 startup incompatibility while retaining the authlib 7 path.
  • Reduced the environment-leak diagnostic from a large token prefix to a short masked preview with token length.

Documentation and security scope

  • Narrowed absolute claims to documented, regression-tested in-game access paths.
  • Documented the limits raised in the review: hostile same-JVM mods, mixin cancellation/priority changes, earlier bootstrap hooks, transformers/agents, alternative egress hooks, launcher sources, and disk credential files.
  • Clarified that whitelisting is an explicit trust decision and can supply real credentials.
  • Changed “Blocked” wording to “Tested: fake result” when the statement is based on the regression harness.
  • Added FAQ answers covering mixin cancellation/priority, earlier bootstrap hooks, why per-launch renaming is not a security boundary, and launcher/external credential sources.

Important limitation

These changes harden the implementation and make its claims accurate. They do not turn Fabric mods into a sandbox: code running in the same JVM can deliberately target TokenProtector or use credential sources outside its covered paths. This is known and obvious but was not clearly stated in previous releases.

Token Protector v1.0.2

Choose a tag to compare

@cev-api cev-api released this 21 Jun 14:02

v1.0.2

Bootstrap hardening

  • MainMixin - stashAndPassThrough renamed to stashAndPoisonUserArg. Now returns a fake token as the constructor argument. Any mod hooking User.<init> HEAD sees the fake, not the real JWT.
  • UserMixin - uses TokenStash.realAccessToken as source of truth for TokenVault.store() and field poisoning. TokenStash sync now requires the caller to actually hold the real token (accessToken.equals(realAccessToken)). Getter whitelist check tightened via isWhitelistedModAccess.

Authlib rewrite (AuthlibMinecraftClientMixin)

  • Removed the HEAD/RETURN swap pattern (swapToReal/swapToFake) and all spin-race detection counters.
  • Now uses @Redirect on every setRequestProperty("Authorization", ...) call in prepareRequest, get, postInternal.
  • Injects the real JWT directly into the Bearer header value at request time. The accessToken field stays fake at rest permanently.

New mixins

  • YggdrasilAuthenticationServiceMixin - @ModifyArg on createUserApiService and createFriendsService. Replaces tokens passed to authlib service constructors with fakes. Real auth goes through the header @Redirect path instead.
  • ClientHandshakePacketListenerImplMixin - @Redirects User.getProfileId() and User.getAccessToken() in authenticateServer. Pulls real values from TokenVault.getStored() directly, keeping multiplayer join working without public getters returning real data.

Compatibility & 26.2 Support

  • New: MinecraftCompat - reflective getToastManager() for 26.2 (moved onto the gui object). Used everywhere across AlertManager and TokenProtectorMod.
  • TokenVault - new getStored(User) method for direct value retrieval.

OS leak scan improvements

  • shouldFlagEnvironmentVariable(): suppresses path/version/JVM-flag false positives before flagging.
  • looksLikeJwt(): requires 3 segments with 8+ chars each (no longer false-positives on 26.1.2).
  • looksLikeOpenAiKey(): detects sk- prefix.
  • looksLikeCredentialValue(), looksLikePathValue(), looksLikeVersionValue(): new false-positive filters.
  • looksLikeSensitiveKey(): expanded (API_KEY, OPENAI, SECRET, SESSION, JWT, OAUTH).

Build

  • MC 26.1.2 to 26.2, deps bumped (loom 1.17.12, fabric 0.152.2, loader 0.19.3, modmenu 20.0.0).
  • Output JARs use artifactLabel (mc1.21.11 / mc26.x).
  • clean deletes all version build dirs.
  • ConfigScreen: setScreen to setScreenAndShow for 26.2 API.