feat(api): session token

1zun4 · 1zun4 · commit 856e40136608 · 2025-05-20T03:28:09.000+02:00
diff --git a/src-tauri/Cargo.lock b/src-tauri/Cargo.lock
diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml
@@ -47,6 +47,7 @@ sysinfo = "0.29"
 regex = "1.7.0"
 uuid = { version = "1.2", features = ["serde", "v4"] }
 chrono = { version = "0.4", features = ["serde"] }
+rand = "0.9"
 
 sha1 = "0.10"
 base16ct = {version = "0.2.0", features = ["alloc"] }
diff --git a/src-tauri/src/app/client_api.rs b/src-tauri/src/app/client_api.rs
@@ -49,21 +49,23 @@ pub struct Client {
     // To show a warning to the user when using a non-secure connection,
     // we need to pass this information to the frontend.
     is_secure: bool,
+    session_token: String
 }
 
 impl Client {
-    pub fn new(host: &str) -> Self {
+    pub fn new(host: &str, session_token: String) -> Self {
         Self {
             url: host.to_string(),
             is_secure: host.starts_with("https://"),
+            session_token
         }
     }
 
     /// Finds the first available API endpoint
     /// and returns a [Client] instance with the endpoint set.
     ///
     /// Returns [String] as error with technical information if no API endpoint is reachable.
-    pub async fn lookup() -> Result<Self, String> {
+    pub async fn lookup(session_token: String) -> Result<Self, String> {
         let span = debug_span!("api_lookup");
         let _guard = span.enter();
 
@@ -127,7 +129,7 @@ impl Client {
 
             if is_success {
                 debug!(parent: &span, "API endpoint '{}' is available", endpoint);
-                return Ok(Self::new(endpoint));
+                return Ok(Self::new(endpoint, session_token));
             }
         }
 
@@ -205,6 +207,7 @@ impl Client {
     pub async fn request_from_endpoint<T: DeserializeOwned>(&self, api_version: &str, endpoint: &str) -> Result<T> {
         Ok(HTTP_CLIENT
             .get(format!("{}/{}/{}", self.url, api_version, endpoint))
+            .header("X-Session-Token", &self.session_token)
             .send()
             .await?
             .error_for_status()?
@@ -219,6 +222,7 @@ impl Client {
     ) -> Result<T> {
         Ok(client_account
             .authenticate_request(HTTP_CLIENT.get(format!("{}/{}/{}", self.url, API_V3, endpoint)))?
+            .header("X-Session-Token", &self.session_token)
             .send()
             .await?
             .error_for_status()?
diff --git a/src-tauri/src/app/gui/commands/system.rs b/src-tauri/src/app/gui/commands/system.rs
@@ -26,8 +26,8 @@ pub(crate) async fn get_launcher_version() -> Result<String, String> {
 }
 
 #[tauri::command]
-pub(crate) async fn setup_client() -> Result<Client, String> {
-    Client::lookup()
+pub(crate) async fn setup_client(session_token: String) -> Result<Client, String> {
+    Client::lookup(session_token)
         .await
 }
 
diff --git a/src-tauri/src/app/options.rs b/src-tauri/src/app/options.rs
@@ -22,6 +22,7 @@ use std::{collections::HashMap, path::Path};
 use crate::minecraft::java::DistributionSelection;
 use crate::{auth::ClientAccount, minecraft::auth::MinecraftAccount};
 use anyhow::Result;
+use rand::distr::{Alphanumeric, SampleString};
 use serde::{Deserialize, Serialize};
 use tokio::fs;
 use tracing::info;
@@ -72,6 +73,8 @@ pub(crate) struct LauncherOptions {
     pub concurrent_downloads: u32,
     #[serde(rename = "keepLauncherOpen")]
     pub keep_launcher_open: bool,
+    #[serde(rename = "sessionToken", default = "random_token")]
+    pub session_token: String,
 }
 
 #[derive(Serialize, Deserialize)]
@@ -126,6 +129,7 @@ impl Options {
                 keep_launcher_open: legacy.keep_launcher_open,
                 show_nightly_builds: legacy.show_nightly_builds,
                 concurrent_downloads: legacy.concurrent_downloads as u32,
+                session_token: random_token()
             },
             premium_options: PremiumOptions {
                 account: legacy.client_account,
@@ -170,6 +174,7 @@ impl Default for LauncherOptions {
             show_nightly_builds: false,
             keep_launcher_open: false,
             concurrent_downloads: 10,
+            session_token: random_token()
         }
     }
 }
@@ -198,6 +203,10 @@ fn default_memory() -> u64 {
     4096
 }
 
+fn random_token() -> String {
+    Alphanumeric.sample_string(&mut rand::rng(), 16)
+}
+
 // Legacy format structure
 #[derive(Deserialize)]
 #[allow(unused)]
diff --git a/src/lib/Window.svelte b/src/lib/Window.svelte
@@ -66,7 +66,9 @@
 
     async function setupClient() {
         try {
-            client = await invoke("setup_client");
+            client = await invoke("setup_client", {
+                sessionToken: options.launcher.sessionToken
+            });
             console.info("API Client has been set up", client);
         } catch (e) {
             console.error("Failed to set up API client:", e);
@@ -88,8 +90,8 @@
     }
 
     onMount(async () => {
-        await Promise.all([handleUpdate(), setupClient(), checkSystem()]);
         await setupOptions();
+        await Promise.all([handleUpdate(), setupClient(), checkSystem()]);
         loading = false;
     });
 </script>

Original file line number	Diff line number	Diff line change
`@@ -26,8 +26,8 @@ pub(crate) async fn get_launcher_version() -> Result<String, String> {`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`#[tauri::command]`
`29`		`-pub(crate) async fn setup_client() -> Result<Client, String> {`
`30`		`- Client::lookup()`
	`29`	`+pub(crate) async fn setup_client(session_token: String) -> Result<Client, String> {`
	`30`	`+ Client::lookup(session_token)`
`31`	`31`	`.await`
`32`	`32`	`}`
`33`	`33`