Make mrpack downloads HTTPS-only (#5882)

* Add set of trusted download hosts for mrpacks

* split secure/insecure reqwest client

* make fetching https-only

* lint fix

packages/app-lib/src/api/minecraft_auth.rs

@@ -4,11 +4,11 @@ use reqwest::StatusCode;
 
 use crate::State;
 use crate::state::{Credentials, MinecraftLoginFlow};
-use crate::util::fetch::REQWEST_CLIENT;
+use crate::util::fetch::INSECURE_REQWEST_CLIENT;
 
 #[tracing::instrument]
 pub async fn check_reachable() -> crate::Result<()> {
-    let resp = REQWEST_CLIENT
+    let resp = INSECURE_REQWEST_CLIENT
         .get("https://sessionserver.mojang.com/session/minecraft/hasJoined")
         .send()
         .await?;

packages/app-lib/src/api/minecraft_skins/png_util.rs

@@ -14,7 +14,7 @@ use tokio_util::compat::FuturesAsyncReadCompatExt;
 use url::Url;
 
 use crate::{
-    ErrorKind, minecraft_skins::UrlOrBlob, util::fetch::REQWEST_CLIENT,
+    ErrorKind, minecraft_skins::UrlOrBlob, util::fetch::INSECURE_REQWEST_CLIENT,
 };
 
 pub async fn url_to_data_stream(
@@ -25,7 +25,7 @@ pub async fn url_to_data_stream(
 
         Ok(Either::Left(stream::once(async { Ok(data) })))
     } else {
-        let response = REQWEST_CLIENT
+        let response = INSECURE_REQWEST_CLIENT
             .get(url.as_str())
             .header("Accept", "image/png")
             .send()

packages/app-lib/src/api/profile/mod.rs

@@ -863,7 +863,7 @@ async fn run_credentials(
         if !project_id.trim().is_empty() {
             let server_id = uuid::Uuid::new_v4().to_string();
 
-            let join_result = fetch::REQWEST_CLIENT
+            let join_result = fetch::INSECURE_REQWEST_CLIENT
                 .post("https://sessionserver.mojang.com/session/minecraft/join")
                 .json(&json!({
                     "accessToken": &credentials.access_token,