Releases: cev-api/Token-Protector
Releases · cev-api/Token-Protector
Release list
Token Protector v1.0.3
Runtime hardening and compatibility
- Removed the public mutable
TokenStashtoken holder and unused plaintextSafeUsercopy. - Removed the access token from public-facing
TokenVaultdata; redirected authentication reads it from an internal holder. - Retained the requested whitelist behaviour for trusted applications.
- Disabled the
NONEreplacement mode for access-token and session-ID protection, and normalize existing credential settings to fake values. - Made critical authentication redirects required so a missing target fails loudly instead of silently leaving a gap.
- Split authlib request mixins by supported Minecraft/authlib versions, fixing the authlib 9 / Minecraft 26.2 startup incompatibility while retaining the authlib 7 path.
- Reduced the environment-leak diagnostic from a large token prefix to a short masked preview with token length.
Documentation and security scope
- Narrowed absolute claims to documented, regression-tested in-game access paths.
- Documented the limits raised in the review: hostile same-JVM mods, mixin cancellation/priority changes, earlier bootstrap hooks, transformers/agents, alternative egress hooks, launcher sources, and disk credential files.
- Clarified that whitelisting is an explicit trust decision and can supply real credentials.
- Changed “Blocked” wording to “Tested: fake result” when the statement is based on the regression harness.
- Added FAQ answers covering mixin cancellation/priority, earlier bootstrap hooks, why per-launch renaming is not a security boundary, and launcher/external credential sources.
Important limitation
These changes harden the implementation and make its claims accurate. They do not turn Fabric mods into a sandbox: code running in the same JVM can deliberately target TokenProtector or use credential sources outside its covered paths. This is known and obvious but was not clearly stated in previous releases.
Token Protector v1.0.2
v1.0.2
Bootstrap hardening
- MainMixin -
stashAndPassThroughrenamed tostashAndPoisonUserArg. Now returns a fake token as the constructor argument. Any mod hookingUser.<init>HEAD sees the fake, not the real JWT. - UserMixin - uses
TokenStash.realAccessTokenas source of truth forTokenVault.store()and field poisoning.TokenStashsync now requires the caller to actually hold the real token (accessToken.equals(realAccessToken)). Getter whitelist check tightened viaisWhitelistedModAccess.
Authlib rewrite (AuthlibMinecraftClientMixin)
- Removed the HEAD/RETURN swap pattern (
swapToReal/swapToFake) and all spin-race detection counters. - Now uses
@Redirecton everysetRequestProperty("Authorization", ...)call inprepareRequest,get,postInternal. - Injects the real JWT directly into the
Bearerheader value at request time. TheaccessTokenfield stays fake at rest permanently.
New mixins
- YggdrasilAuthenticationServiceMixin -
@ModifyArgoncreateUserApiServiceandcreateFriendsService. Replaces tokens passed to authlib service constructors with fakes. Real auth goes through the header@Redirectpath instead. - ClientHandshakePacketListenerImplMixin -
@RedirectsUser.getProfileId()andUser.getAccessToken()inauthenticateServer. Pulls real values fromTokenVault.getStored()directly, keeping multiplayer join working without public getters returning real data.
Compatibility & 26.2 Support
- New: MinecraftCompat - reflective
getToastManager()for 26.2 (moved onto theguiobject). Used everywhere acrossAlertManagerandTokenProtectorMod. - TokenVault - new
getStored(User)method for direct value retrieval.
OS leak scan improvements
shouldFlagEnvironmentVariable(): suppresses path/version/JVM-flag false positives before flagging.looksLikeJwt(): requires 3 segments with 8+ chars each (no longer false-positives on26.1.2).looksLikeOpenAiKey(): detectssk-prefix.looksLikeCredentialValue(),looksLikePathValue(),looksLikeVersionValue(): new false-positive filters.looksLikeSensitiveKey(): expanded (API_KEY,OPENAI,SECRET,SESSION,JWT,OAUTH).
Build
- MC 26.1.2 to 26.2, deps bumped (loom 1.17.12, fabric 0.152.2, loader 0.19.3, modmenu 20.0.0).
- Output JARs use
artifactLabel(mc1.21.11/mc26.x). cleandeletes all version build dirs.- ConfigScreen:
setScreentosetScreenAndShowfor 26.2 API.