Make mrpack downloads HTTPS-only (#5882)

* Add set of trusted download hosts for mrpacks * split secure/insecure reqwest client * make fetching https-only * lint fix
2026-04-23 20:04:38 +01:00
parent 6862cf5ab2
commit 11ac27f71f
6 changed files with 89 additions and 30 deletions
--- a/packages/app-lib/src/state/minecraft_auth.rs
+++ b/packages/app-lib/src/state/minecraft_auth.rs
@@ -1,5 +1,5 @@
 use crate::ErrorKind;
-use crate::util::fetch::REQWEST_CLIENT;
+use crate::util::fetch::INSECURE_REQWEST_CLIENT;
 use base64::Engine;
 use base64::prelude::{BASE64_STANDARD, BASE64_URL_SAFE_NO_PAD};
 use chrono::{DateTime, Duration, TimeZone, Utc};
@@ -855,7 +855,7 @@ async fn oauth_token(
    query.insert("scope", REQUESTED_SCOPE);

    let res = auth_retry(|| {
-        REQWEST_CLIENT
+        INSECURE_REQWEST_CLIENT
            .post("https://login.live.com/oauth20_token.srf")
            .header("Accept", "application/json")
            .form(&query)
@@ -903,7 +903,7 @@ async fn oauth_refresh(
    query.insert("scope", REQUESTED_SCOPE);

    let res = auth_retry(|| {
-        REQWEST_CLIENT
+        INSECURE_REQWEST_CLIENT
            .post("https://login.live.com/oauth20_token.srf")
            .header("Accept", "application/json")
            .form(&query)
@@ -1048,7 +1048,7 @@ async fn minecraft_token(
    let token = token.token;

    let res = auth_retry(|| {
-        REQWEST_CLIENT
+        INSECURE_REQWEST_CLIENT
            .post("https://api.minecraftservices.com/launcher/login")
            .header("Accept", "application/json")
            .json(&json!({
@@ -1276,7 +1276,7 @@ async fn minecraft_profile(
    token: &str,
 ) -> Result<MinecraftProfile, MinecraftAuthenticationError> {
    let res = auth_retry(|| {
-        REQWEST_CLIENT
+        INSECURE_REQWEST_CLIENT
            .get("https://api.minecraftservices.com/minecraft/profile")
            .header("Accept", "application/json")
            .bearer_auth(token)
@@ -1327,7 +1327,7 @@ async fn minecraft_entitlements(
    token: &str,
 ) -> Result<MinecraftEntitlements, MinecraftAuthenticationError> {
    let res = auth_retry(|| {
-        REQWEST_CLIENT
+        INSECURE_REQWEST_CLIENT
            .get(format!("https://api.minecraftservices.com/entitlements/license?requestId={}", Uuid::new_v4()))
            .header("Accept", "application/json")
            .bearer_auth(token)
@@ -1471,7 +1471,7 @@ async fn send_signed_request<T: DeserializeOwned>(
    let signature = BASE64_STANDARD.encode(&sig_buffer);

    let res = auth_retry(|| {
-        let mut request = REQWEST_CLIENT
+        let mut request = INSECURE_REQWEST_CLIENT
            .post(url)
            .header("Content-Type", "application/json; charset=utf-8")
            .header("Accept", "application/json")
--- a/packages/app-lib/src/state/minecraft_skins/mojang_api.rs
+++ b/packages/app-lib/src/state/minecraft_skins/mojang_api.rs
@@ -11,7 +11,7 @@ use crate::{
    ErrorKind,
    data::Credentials,
    state::{MinecraftProfile, PROFILE_CACHE, ProfileCacheEntry},
-    util::fetch::REQWEST_CLIENT,
+    util::fetch::INSECURE_REQWEST_CLIENT,
 };

 /// Provides operations for interacting with capes on a Minecraft player profile.
@@ -23,7 +23,7 @@ impl MinecraftCapeOperation {
        cape_id: Uuid,
    ) -> crate::Result<()> {
        update_profile_cache_from_response(
-            REQWEST_CLIENT
+            INSECURE_REQWEST_CLIENT
                .put("https://api.minecraftservices.com/minecraft/profile/capes/active")
                .header("Content-Type", "application/json; charset=utf-8")
                .header("Accept", "application/json")
@@ -42,7 +42,7 @@ impl MinecraftCapeOperation {

    pub async fn unequip_any(credentials: &Credentials) -> crate::Result<()> {
        update_profile_cache_from_response(
-            REQWEST_CLIENT
+            INSECURE_REQWEST_CLIENT
                .delete("https://api.minecraftservices.com/minecraft/profile/capes/active")
                .header("Accept", "application/json")
                .bearer_auth(&credentials.access_token)
@@ -92,7 +92,7 @@ impl MinecraftSkinOperation {
            );

        update_profile_cache_from_response(
-            REQWEST_CLIENT
+            INSECURE_REQWEST_CLIENT
                .post(
                    "https://api.minecraftservices.com/minecraft/profile/skins",
                )
@@ -110,7 +110,7 @@ impl MinecraftSkinOperation {

    pub async fn unequip_any(credentials: &Credentials) -> crate::Result<()> {
        update_profile_cache_from_response(
-            REQWEST_CLIENT
+            INSECURE_REQWEST_CLIENT
                .delete("https://api.minecraftservices.com/minecraft/profile/skins/active")
                .header("Accept", "application/json")
                .bearer_auth(&credentials.access_token)