Provide a UI for setting a custom Client ID at runtime about polymc HOT 10 CLOSED

PolyMC already defaults to our Client ID. It works even if compiled without specifying a client ID.

from polymc.

That leaves the default Client ID distributed, which may bring risks for PolyMC since malicious third-party clients may also use that Client ID.

from polymc.

understood, I'll work on this later if MultiMC doesn't implement it first.

from polymc.

I mean, what MultiMC is doing in their binaries is basically the same. You can extract the api key and use it maliciously from the binary.

from polymc.

that's what I was thinking, no reason to not include it now. We can always make a new one and if people consistently abuse then we can switch over to this.

from polymc.

MultiMC uses a secret system to store the Client ID and possibly obfuscates it at compile time.
Not once is it publicly exposed, and finding it requires a lot of digging and reversing data

from polymc.

MultiMC uses a secret system to store the Client ID and possibly obfuscates it at compile time. Not once is it publicly exposed, and finding it requires a lot of digging and reversing data

its still public and easy to extract, https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=multimc-git#n55

from polymc.

"public" is a questionable statement
its unobfuscated within the binary but nothing is stopping the devs to add a layer of encryption ontop that could make the effort of getting the ID harder.

from polymc.

That is still public. When its on the client machine, its just a matter of time to get it back.

from polymc.

At the end there is no good way to do this
Either you setup a proxy that stores the client ID, but then the user is essentially MITM'd
or you put the client ID in the program but then you suffer from people using it to impersonate the project.

The solution that the MultiMC project took was keeping the ClientID in the public, until that was abused
Then it was put into a dedicated secret subproject with the ID, which won't stop those that try hard enough yes but it will stop most of those trying.

I won't doubt that the MultiMC project might put more work into that in the future to ensure things like the AUR situation won't happen

from polymc.