You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MainMixin - stashAndPassThrough renamed to stashAndPoisonUserArg. Now returns a fake token as the constructor argument. Any mod hooking User.<init> HEAD sees the fake, not the real JWT.
UserMixin - uses TokenStash.realAccessToken as source of truth for TokenVault.store() and field poisoning. TokenStash sync now requires the caller to actually hold the real token (accessToken.equals(realAccessToken)). Getter whitelist check tightened via isWhitelistedModAccess.
Authlib rewrite (AuthlibMinecraftClientMixin)
Removed the HEAD/RETURN swap pattern (swapToReal/swapToFake) and all spin-race detection counters.
Now uses @Redirect on every setRequestProperty("Authorization", ...) call in prepareRequest, get, postInternal.
Injects the real JWT directly into the Bearer header value at request time. The accessToken field stays fake at rest permanently.
New mixins
YggdrasilAuthenticationServiceMixin - @ModifyArg on createUserApiService and createFriendsService. Replaces tokens passed to authlib service constructors with fakes. Real auth goes through the header @Redirect path instead.
ClientHandshakePacketListenerImplMixin - @Redirects User.getProfileId() and User.getAccessToken() in authenticateServer. Pulls real values from TokenVault.getStored() directly, keeping multiplayer join working without public getters returning real data.
Compatibility & 26.2 Support
New: MinecraftCompat - reflective getToastManager() for 26.2 (moved onto the gui object). Used everywhere across AlertManager and TokenProtectorMod.
TokenVault - new getStored(User) method for direct value retrieval.
OS leak scan improvements
shouldFlagEnvironmentVariable(): suppresses path/version/JVM-flag false positives before flagging.
looksLikeJwt(): requires 3 segments with 8+ chars each (no longer false-positives on 26.1.2).
looksLikeOpenAiKey(): detects sk- prefix.
looksLikeCredentialValue(), looksLikePathValue(), looksLikeVersionValue(): new false-positive filters.