Merge commit '15892a88d345f7ff67e2e46e298560afb635ac23' into beta

.cargo/config.toml

@@ -2,5 +2,8 @@
 [target.'cfg(windows)']
 rustflags = ["-C", "link-args=/STACK:16777220", "--cfg", "tokio_unstable"]
 
+[target.x86_64-pc-windows-msvc]
+linker = "rust-lld"
+
 [build]
 rustflags = ["--cfg", "tokio_unstable"]

Cargo.lock

@@ -8983,6 +8983,7 @@ dependencies = [
  "data-url",
  "dirs",
  "discord-rich-presence",
+ "dotenvy",
  "dunce",
  "either",
  "encoding_rs",
@@ -9037,6 +9038,8 @@ dependencies = [
  "dashmap",
  "either",
  "enumset",
+ "hyper 1.6.0",
+ "hyper-util",
  "native-dialog",
  "paste",
  "serde",

Cargo.toml

@@ -67,6 +67,7 @@ heck = "0.5.0"
 hex = "0.4.3"
 hickory-resolver = "0.25.2"
 hmac = "0.12.1"
+hyper = "1.6.0"
 hyper-rustls = { version = "0.27.7", default-features = false, features = [
   "http1",
   "native-tokio",

apps/app-frontend/src/App.vue

@@ -61,9 +61,10 @@ import { renderString } from '@modrinth/utils'
 import { useFetch } from '@/helpers/fetch.js'
 // import { check } from '@tauri-apps/plugin-updater'
 import NavButton from '@/components/ui/NavButton.vue'
-import { get as getCreds, login, logout } from '@/helpers/mr_auth.js'
+import { cancelLogin, get as getCreds, login, logout } from '@/helpers/mr_auth.js'
 import { get_user } from '@/helpers/cache.js'
 import AppSettingsModal from '@/components/ui/modal/AppSettingsModal.vue'
+import AuthGrantFlowWaitModal from '@/components/ui/modal/AuthGrantFlowWaitModal.vue'
 // import PromotionWrapper from '@/components/ui/PromotionWrapper.vue'
 // import { hide_ads_window, init_ads_window } from '@/helpers/ads.js'
 import FriendsList from '@/components/ui/friends/FriendsList.vue'
@@ -283,6 +284,8 @@ const incompatibilityWarningModal = ref()
 
 const credentials = ref()
 
+const modrinthLoginFlowWaitModal = ref()
+
 async function fetchCredentials() {
   const creds = await getCreds().catch(handleError)
   if (creds && creds.user_id) {
@@ -292,8 +295,24 @@ async function fetchCredentials() {
 }
 
 async function signIn() {
-  await login().catch(handleError)
+  modrinthLoginFlowWaitModal.value.show()
-  await fetchCredentials()
+
+  try {
+    await login()
+    await fetchCredentials()
+  } catch (error) {
+    if (
+      typeof error === 'object' &&
+      typeof error['message'] === 'string' &&
+      error.message.includes('Login canceled')
+    ) {
+      // Not really an error due to being a result of user interaction, show nothing
+    } else {
+      handleError(error)
+    }
+  } finally {
+    modrinthLoginFlowWaitModal.value.hide()
+  }
 }
 
 async function logOut() {
@@ -422,6 +441,9 @@ function handleAuxClick(e) {
     <Suspense>
       <AppSettingsModal ref="settingsModal" />
     </Suspense>
+    <Suspense>
+      <AuthGrantFlowWaitModal ref="modrinthLoginFlowWaitModal" @flow-cancel="cancelLogin" />
+    </Suspense>
     <Suspense>
       <InstanceCreationModal ref="installationModal" />
     </Suspense>

apps/app-frontend/src/components/ui/InstanceCreationModal.vue

@@ -305,12 +305,16 @@ const [
   get_game_versions().then(shallowRef).catch(handleError),
   get_loaders()
     .then((value) =>
-      value
+      ref(
-        .filter((item) => item.supported_project_types.includes('modpack'))
+        value
-        .map((item) => item.name.toLowerCase()),
+          .filter((item) => item.supported_project_types.includes('modpack'))
+          .map((item) => item.name.toLowerCase()),
+      ),
     )
-    .then(ref)
+    .catch((err) => {
-    .catch(handleError),
+      handleError(err)
+      return ref([])
+    }),
 ])
 loaders.value.unshift('vanilla')
 

apps/app-frontend/src/components/ui/modal/AuthGrantFlowWaitModal.vue

@@ -0,0 +1,42 @@
+<script setup lang="ts">
+import { LogInIcon, SpinnerIcon } from '@modrinth/assets'
+import { ref } from 'vue'
+import ModalWrapper from '@/components/ui/modal/ModalWrapper.vue'
+
+defineProps({
+  onFlowCancel: {
+    type: Function,
+    default() {
+      return async () => {}
+    },
+  },
+})
+
+const modal = ref()
+
+function show() {
+  modal.value.show()
+}
+
+function hide() {
+  modal.value.hide()
+}
+
+defineExpose({ show, hide })
+</script>
+<template>
+  <ModalWrapper ref="modal" @hide="onFlowCancel">
+    <template #title>
+      <span class="items-center gap-2 text-lg font-extrabold text-contrast">
+        <LogInIcon /> Sign in
+      </span>
+    </template>
+
+    <div class="flex justify-center gap-2">
+      <SpinnerIcon class="w-12 h-12 animate-spin" />
+    </div>
+    <p class="text-sm text-secondary">
+      Please sign in at the browser window that just opened to continue.
+    </p>
+  </ModalWrapper>
+</template>

apps/app-frontend/src/helpers/mr_auth.js

@@ -16,3 +16,7 @@ export async function logout() {
 export async function get() {
   return await invoke('plugin:mr-auth|get')
 }
+
+export async function cancelLogin() {
+  return await invoke('plugin:mr-auth|cancel_modrinth_login')
+}

apps/app-playground/src/main.rs

@@ -15,7 +15,7 @@ pub async fn authenticate_run() -> theseus::Result<Credentials> {
     println!("A browser window will now open, follow the login flow there.");
     let login = minecraft_auth::begin_login().await?;
 
-    println!("Open URL {} in a browser", login.redirect_uri.as_str());
+    println!("Open URL {} in a browser", login.auth_request_uri.as_str());
 
     println!("Please enter URL code: ");
     let mut input = String::new();

apps/app/Cargo.toml

@@ -31,6 +31,8 @@ thiserror.workspace = true
 daedalus.workspace = true
 chrono.workspace = true
 either.workspace = true
+hyper = { workspace = true, features = ["server"] }
+hyper-util.workspace = true
 
 url.workspace = true
 urlencoding.workspace = true

apps/app/build.rs

@@ -123,7 +123,12 @@ fn main() {
             .plugin(
                 "mr-auth",
                 InlinedPlugin::new()
-                    .commands(&["modrinth_login", "logout", "get"])
+                    .commands(&[
+                        "modrinth_login",
+                        "logout",
+                        "get",
+                        "cancel_modrinth_login",
+                    ])
                     .default_permission(
                         DefaultPermissionRule::AllowAllCommands,
                     ),

apps/app/src/api/auth.rs

@@ -96,7 +96,7 @@ pub async fn login<R: Runtime>(
     let window = tauri::WebviewWindowBuilder::new(
         &app,
         "signin",
-        tauri::WebviewUrl::External(flow.redirect_uri.parse().map_err(
+        tauri::WebviewUrl::External(flow.auth_request_uri.parse().map_err(
             |_| {
                 theseus::ErrorKind::OtherError(
                     "Error parsing auth redirect URL".to_string(),
@@ -140,6 +140,7 @@ pub async fn login<R: Runtime>(
     window.close()?;
     Ok(None)
 }
+
 #[tauri::command]
 pub async fn remove_user(user: uuid::Uuid) -> Result<()> {
     Ok(minecraft_auth::remove_user(user).await?)

apps/app/src/api/mod.rs

@@ -21,6 +21,8 @@ pub mod cache;
 pub mod friends;
 pub mod worlds;
 
+mod oauth_utils;
+
 pub type Result<T> = std::result::Result<T, TheseusSerializableError>;
 
 // // Main returnable Theseus GUI error

apps/app/src/api/mr_auth.rs

@@ -1,79 +1,70 @@
 use crate::api::Result;
-use chrono::{Duration, Utc};
+use crate::api::TheseusSerializableError;
+use crate::api::oauth_utils;
+use tauri::Manager;
+use tauri::Runtime;
 use tauri::plugin::TauriPlugin;
-use tauri::{Manager, Runtime, UserAttentionType};
+use tauri_plugin_opener::OpenerExt;
 use theseus::prelude::*;
+use tokio::sync::oneshot;
 
 pub fn init<R: tauri::Runtime>() -> TauriPlugin<R> {
     tauri::plugin::Builder::new("mr-auth")
-        .invoke_handler(tauri::generate_handler![modrinth_login, logout, get,])
+        .invoke_handler(tauri::generate_handler![
+            modrinth_login,
+            logout,
+            get,
+            cancel_modrinth_login,
+        ])
         .build()
 }
 
 #[tauri::command]
 pub async fn modrinth_login<R: Runtime>(
     app: tauri::AppHandle<R>,
-) -> Result<Option<ModrinthCredentials>> {
+) -> Result<ModrinthCredentials> {
-    let redirect_uri = mr_auth::authenticate_begin_flow();
+    let (auth_code_recv_socket_tx, auth_code_recv_socket) = oneshot::channel();
+    let auth_code = tokio::spawn(oauth_utils::auth_code_reply::listen(
+        auth_code_recv_socket_tx,
+    ));
 
-    let start = Utc::now();
+    let auth_code_recv_socket = auth_code_recv_socket.await.unwrap()?;
 
-    if let Some(window) = app.get_webview_window("modrinth-signin") {
+    let auth_request_uri = format!(
-        window.close()?;
+        "{}?launcher=true&ipver={}&port={}",
-    }
+        mr_auth::authenticate_begin_flow(),
+        if auth_code_recv_socket.is_ipv4() {
+            "4"
+        } else {
+            "6"
+        },
+        auth_code_recv_socket.port()
+    );
 
-    let window = tauri::WebviewWindowBuilder::new(
+    app.opener()
-        &app,
+        .open_url(auth_request_uri, None::<&str>)
-        "modrinth-signin",
+        .map_err(|e| {
-        tauri::WebviewUrl::External(redirect_uri.parse().map_err(|_| {
+            TheseusSerializableError::Theseus(
-            theseus::ErrorKind::OtherError(
+                theseus::ErrorKind::OtherError(format!(
-                "Error parsing auth redirect URL".to_string(),
+                    "Failed to open auth request URI: {e}"
+                ))
+                .into(),
             )
-            .as_error()
+        })?;
-        })?),
-    )
-    .min_inner_size(420.0, 632.0)
-    .inner_size(420.0, 632.0)
-    .max_inner_size(420.0, 632.0)
-    .zoom_hotkeys_enabled(false)
-    .title("Sign into Modrinth")
-    .always_on_top(true)
-    .center()
-    .build()?;
 
-    window.request_user_attention(Some(UserAttentionType::Critical))?;
+    let Some(auth_code) = auth_code.await.unwrap()? else {
+        return Err(TheseusSerializableError::Theseus(
+            theseus::ErrorKind::OtherError("Login canceled".into()).into(),
+        ));
+    };
 
-    while (Utc::now() - start) < Duration::minutes(10) {
+    let credentials = mr_auth::authenticate_finish_flow(&auth_code).await?;
-        if window.title().is_err() {
-            // user closed window, cancelling flow
-            return Ok(None);
-        }
 
-        if window
+    if let Some(main_window) = app.get_window("main") {
-            .url()?
+        main_window.set_focus().ok();
-            .as_str()
-            .starts_with("https://launcher-files.modrinth.com")
-        {
-            let url = window.url()?;
-
-            let code = url.query_pairs().find(|(key, _)| key == "code");
-
-            window.close()?;
-
-            return if let Some((_, code)) = code {
-                let val = mr_auth::authenticate_finish_flow(&code).await?;
-
-                Ok(Some(val))
-            } else {
-                Ok(None)
-            };
-        }
-
-        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
     }
 
-    window.close()?;
+    Ok(credentials)
-    Ok(None)
 }
 
 #[tauri::command]
@@ -85,3 +76,8 @@ pub async fn logout() -> Result<()> {
 pub async fn get() -> Result<Option<ModrinthCredentials>> {
     Ok(theseus::mr_auth::get_credentials().await?)
 }
+
+#[tauri::command]
+pub fn cancel_modrinth_login() {
+    oauth_utils::auth_code_reply::stop_listeners();
+}

apps/app/src/api/oauth_utils/auth_code_reply.rs

@@ -0,0 +1,159 @@
+//! A minimal OAuth 2.0 authorization code grant flow redirection/reply loopback URI HTTP
+//! server implementation, compliant with [RFC 6749]'s authorization code grant flow and
+//! [RFC 8252]'s best current practices for OAuth 2.0 in native apps.
+//!
+//! This server is needed for the step 4 of the OAuth authentication dance represented in
+//! figure 1 of [RFC 8252].
+//!
+//! Further reading: https://www.oauth.com/oauth2-servers/oauth-native-apps/redirect-urls-for-native-apps/
+//!
+//! [RFC 6749]: https://datatracker.ietf.org/doc/html/rfc6749
+//! [RFC 8252]: https://datatracker.ietf.org/doc/html/rfc8252
+
+use std::{
+    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
+    sync::{LazyLock, Mutex},
+    time::Duration,
+};
+
+use hyper::body::Incoming;
+use hyper_util::rt::{TokioIo, TokioTimer};
+use theseus::ErrorKind;
+use tokio::{
+    net::TcpListener,
+    sync::{broadcast, oneshot},
+};
+
+static SERVER_SHUTDOWN: LazyLock<broadcast::Sender<()>> =
+    LazyLock::new(|| broadcast::channel(1024).0);
+
+/// Starts a temporary HTTP server to receive OAuth 2.0 authorization code grant flow redirects
+/// on a loopback interface with an ephemeral port. The caller can know the bound socket address
+/// by listening on the counterpart channel for `listen_socket_tx`.
+///
+/// If the server is stopped before receiving an authorization code, `Ok(None)` is returned.
+pub async fn listen(
+    listen_socket_tx: oneshot::Sender<Result<SocketAddr, theseus::Error>>,
+) -> Result<Option<String>, theseus::Error> {
+    // IPv4 is tried first for the best compatibility and performance with most systems.
+    // IPv6 is also tried in case IPv4 is not available. Resolving "localhost" is avoided
+    // to prevent failures deriving from improper name resolution setup. Any available
+    // ephemeral port is used to prevent conflicts with other services. This is all as per
+    // RFC 8252's recommendations
+    const ANY_LOOPBACK_SOCKET: &[SocketAddr] = &[
+        SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 0),
+        SocketAddr::new(IpAddr::V6(Ipv6Addr::LOCALHOST), 0),
+    ];
+
+    let listener = match TcpListener::bind(ANY_LOOPBACK_SOCKET).await {
+        Ok(listener) => {
+            listen_socket_tx
+                .send(listener.local_addr().map_err(|e| {
+                    ErrorKind::OtherError(format!(
+                        "Failed to get auth code reply socket address: {e}"
+                    ))
+                    .into()
+                }))
+                .ok();
+
+            listener
+        }
+        Err(e) => {
+            let error_msg =
+                format!("Failed to bind auth code reply socket: {e}");
+
+            listen_socket_tx
+                .send(Err(ErrorKind::OtherError(error_msg.clone()).into()))
+                .ok();
+
+            return Err(ErrorKind::OtherError(error_msg).into());
+        }
+    };
+
+    let mut auth_code = Mutex::new(None);
+    let mut shutdown_notification = SERVER_SHUTDOWN.subscribe();
+
+    while auth_code.get_mut().unwrap().is_none() {
+        let client_socket = tokio::select! {
+            biased;
+            _ = shutdown_notification.recv() => {
+                break;
+            }
+            conn_accept_result = listener.accept() => {
+                match conn_accept_result {
+                    Ok((socket, _)) => socket,
+                    Err(e) => {
+                        tracing::warn!("Failed to accept auth code reply: {e}");
+                        continue;
+                    }
+                }
+            }
+        };
+
+        if let Err(e) = hyper::server::conn::http1::Builder::new()
+            .keep_alive(false)
+            .header_read_timeout(Duration::from_secs(5))
+            .timer(TokioTimer::new())
+            .auto_date_header(false)
+            .serve_connection(
+                TokioIo::new(client_socket),
+                hyper::service::service_fn(|req| handle_reply(req, &auth_code)),
+            )
+            .await
+        {
+            tracing::warn!("Failed to handle auth code reply: {e}");
+        }
+    }
+
+    Ok(auth_code.into_inner().unwrap())
+}
+
+/// Stops any active OAuth 2.0 authorization code grant flow reply listening HTTP servers.
+pub fn stop_listeners() {
+    SERVER_SHUTDOWN.send(()).ok();
+}
+
+async fn handle_reply(
+    req: hyper::Request<Incoming>,
+    auth_code_out: &Mutex<Option<String>>,
+) -> Result<hyper::Response<String>, hyper::http::Error> {
+    if req.method() != hyper::Method::GET {
+        return hyper::Response::builder()
+            .status(hyper::StatusCode::METHOD_NOT_ALLOWED)
+            .header("Allow", "GET")
+            .body("".into());
+    }
+
+    // The authorization code is guaranteed to be sent as a "code" query parameter
+    // in the request URI query string as per RFC 6749 § 4.1.2
+    let auth_code = req.uri().query().and_then(|query_string| {
+        query_string
+            .split('&')
+            .filter_map(|query_pair| query_pair.split_once('='))
+            .find_map(|(key, value)| (key == "code").then_some(value))
+    });
+
+    let response = if let Some(auth_code) = auth_code {
+        *auth_code_out.lock().unwrap() = Some(auth_code.to_string());
+
+        hyper::Response::builder()
+            .status(hyper::StatusCode::OK)
+            .header("Content-Type", "text/html;charset=utf-8")
+            .body(
+                include_str!("auth_code_reply/page.html")
+                    .replace("{{title}}", "Success")
+                    .replace("{{message}}", "You have successfully signed in! You can close this page now."),
+            )
+    } else {
+        hyper::Response::builder()
+            .status(hyper::StatusCode::BAD_REQUEST)
+            .header("Content-Type", "text/html;charset=utf-8")
+            .body(
+                include_str!("auth_code_reply/page.html")
+                    .replace("{{title}}", "Error")
+                    .replace("{{message}}", "Authorization code not found. Please try signing in again."),
+            )
+    }?;
+
+    Ok(response)
+}

apps/app/src/api/oauth_utils/mod.rs

@@ -0,0 +1,3 @@
+//! Assorted utilities for OAuth 2.0 authorization flows.
+
+pub mod auth_code_reply;

apps/app/tauri.conf.json

@@ -63,6 +63,7 @@
         "height": 800,
         "resizable": true,
         "title": "AstralRinth",
+        "label": "main",
         "width": 1280,
         "minHeight": 700,
         "minWidth": 1100,

apps/daedalus_client/Dockerfile

@@ -1,9 +1,19 @@
+# syntax=docker/dockerfile:1
+
 FROM rust:1.88.0 AS build
 
 WORKDIR /usr/src/daedalus
 COPY . .
-RUN cargo build --release --package daedalus_client
+RUN --mount=type=cache,target=/usr/src/daedalus/target \
+  --mount=type=cache,target=/usr/local/cargo/git/db \
+  --mount=type=cache,target=/usr/local/cargo/registry \
+  cargo build --release --package daedalus_client
 
+FROM build AS artifacts
+
+RUN --mount=type=cache,target=/usr/src/daedalus/target \
+  mkdir /daedalus \
+  && cp /usr/src/daedalus/target/release/daedalus_client /daedalus/daedalus_client
 
 FROM debian:bookworm-slim
 
@@ -11,7 +21,7 @@ RUN apt-get update \
   && apt-get install -y --no-install-recommends ca-certificates openssl \
   && rm -rf /var/lib/apt/lists/*
 
-COPY --from=build /usr/src/daedalus/target/release/daedalus_client /daedalus/daedalus_client
+COPY --from=artifacts /daedalus /daedalus
-WORKDIR /daedalus_client
 
-CMD /daedalus/daedalus_client
+WORKDIR /daedalus_client
+CMD ["/daedalus/daedalus_client"]

apps/frontend/src/components/ui/moderation/ModpackPermissionsFlow.vue

@@ -8,7 +8,7 @@
     <div v-if="!modPackData">Loading data...</div>
 
     <div v-else-if="modPackData.length === 0">
-      <p>All permissions obtained. You may skip this step!</p>
+      <p>All permissions already obtained.</p>
     </div>
 
     <div v-else-if="!modPackData[currentIndex]">
@@ -157,7 +157,7 @@ import type {
 } from "@modrinth/utils";
 import { ButtonStyled } from "@modrinth/ui";
 import { ref, computed, watch, onMounted } from "vue";
-import { useLocalStorage } from "@vueuse/core";
+import { useLocalStorage, useSessionStorage } from "@vueuse/core";
 
 const props = defineProps<{
   projectId: string;
@@ -182,7 +182,26 @@ const persistedModPackData = useLocalStorage<ModerationModpackItem[] | null>(
 
 const persistedIndex = useLocalStorage<number>(`modpack-permissions-index-${props.projectId}`, 0);
 
-const modPackData = ref<ModerationModpackItem[] | null>(null);
+const modPackData = useSessionStorage<ModerationModpackItem[] | null>(
+  `modpack-permissions-data-${props.projectId}`,
+  null,
+  {
+    serializer: {
+      read: (v: any) => (v ? JSON.parse(v) : null),
+      write: (v: any) => JSON.stringify(v),
+    },
+  },
+);
+const permanentNoFiles = useSessionStorage<ModerationModpackItem[]>(
+  `modpack-permissions-permanent-no-${props.projectId}`,
+  [],
+  {
+    serializer: {
+      read: (v: any) => (v ? JSON.parse(v) : []),
+      write: (v: any) => JSON.stringify(v),
+    },
+  },
+);
 const currentIndex = ref(0);
 
 const fileApprovalTypes: ModerationModpackPermissionApprovalType[] = [
@@ -251,7 +270,45 @@ async function fetchModPackData(): Promise<void> {
     const data = (await useBaseFetch(`moderation/project/${props.projectId}`, {
       internal: true,
     })) as ModerationModpackResponse;
+
+    const permanentNoItems: ModerationModpackItem[] = Object.entries(data.identified || {})
+      .filter(([_, file]) => file.status === "permanent-no")
+      .map(
+        ([sha1, file]): ModerationModpackItem => ({
+          sha1,
+          file_name: file.file_name,
+          type: "identified",
+          status: file.status,
+          approved: null,
+        }),
+      )
+      .sort((a, b) => a.file_name.localeCompare(b.file_name));
+
+    permanentNoFiles.value = permanentNoItems;
+
     const sortedData: ModerationModpackItem[] = [
+      ...Object.entries(data.identified || {})
+        .filter(
+          ([_, file]) =>
+            file.status !== "yes" &&
+            file.status !== "with-attribution-and-source" &&
+            file.status !== "permanent-no",
+        )
+        .map(
+          ([sha1, file]): ModerationModpackItem => ({
+            sha1,
+            file_name: file.file_name,
+            type: "identified",
+            status: file.status,
+            approved: null,
+            ...(file.status === "unidentified" && {
+              proof: "",
+              url: "",
+              title: "",
+            }),
+          }),
+        )
+        .sort((a, b) => a.file_name.localeCompare(b.file_name)),
       ...Object.entries(data.unknown_files || {})
         .map(
           ([sha1, fileName]): ModerationUnknownModpackItem => ({
@@ -310,6 +367,7 @@ async function fetchModPackData(): Promise<void> {
   } catch (error) {
     console.error("Failed to fetch modpack data:", error);
     modPackData.value = [];
+    permanentNoFiles.value = [];
     persistAll();
   }
 }
@@ -321,6 +379,14 @@ function goToPrevious(): void {
   }
 }
 
+watch(
+  modPackData,
+  (newValue) => {
+    persistedModPackData.value = newValue;
+  },
+  { deep: true },
+);
+
 function goToNext(): void {
   if (modPackData.value && currentIndex.value < modPackData.value.length) {
     currentIndex.value++;
@@ -396,6 +462,17 @@ onMounted(() => {
   }
 });
 
+watch(
+  modPackData,
+  (newValue) => {
+    if (newValue && newValue.length === 0) {
+      emit("complete");
+      clearPersistedData();
+    }
+  },
+  { immediate: true },
+);
+
 watch(
   () => props.projectId,
   () => {
@@ -406,6 +483,20 @@ watch(
     }
   },
 );
+
+function getModpackFiles(): {
+  interactive: ModerationModpackItem[];
+  permanentNo: ModerationModpackItem[];
+} {
+  return {
+    interactive: modPackData.value || [],
+    permanentNo: permanentNoFiles.value,
+  };
+}
+
+defineExpose({
+  getModpackFiles,
+});
 </script>
 
 <style scoped>

apps/frontend/src/components/ui/moderation/NewModerationChecklist.vue

@@ -240,24 +240,6 @@
             </div>
 
             <div v-else-if="generatedMessage" class="flex items-center gap-2">
-              <OverflowMenu :options="stageOptions" class="bg-transparent p-0">
-                <ButtonStyled circular>
-                  <button v-tooltip="`Stages`">
-                    <ListBulletedIcon />
-                  </button>
-                </ButtonStyled>
-
-                <template
-                  v-for="opt in stageOptions.filter(
-                    (opt) => 'id' in opt && 'text' in opt && 'icon' in opt,
-                  )"
-                  #[opt.id]
-                  :key="opt.id"
-                >
-                  <component :is="opt.icon" v-if="opt.icon" class="mr-2" />
-                  {{ opt.text }}
-                </template>
-              </OverflowMenu>
               <ButtonStyled>
                 <button @click="goBackToStages">
                   <LeftArrowIcon aria-hidden="true" />
@@ -368,21 +350,26 @@ import {
   DropdownSelect,
   MarkdownEditor,
 } from "@modrinth/ui";
-import { type Project, renderHighlightedString, type ModerationJudgements } from "@modrinth/utils";
+import {
+  type Project,
+  renderHighlightedString,
+  type ModerationJudgements,
+  type ModerationModpackItem,
+} from "@modrinth/utils";
 import { computedAsync, useLocalStorage } from "@vueuse/core";
-import type {
+import {
-  Action,
+  type Action,
-  MultiSelectChipsAction,
+  type MultiSelectChipsAction,
-  DropdownAction,
+  type DropdownAction,
-  ButtonAction,
+  type ButtonAction,
-  ToggleAction,
+  type ToggleAction,
-  ConditionalButtonAction,
+  type ConditionalButtonAction,
-  Stage,
+  type Stage,
+  finalPermissionMessages,
 } from "@modrinth/moderation";
+import * as prettier from "prettier";
 import ModpackPermissionsFlow from "./ModpackPermissionsFlow.vue";
 import KeybindsModal from "./ChecklistKeybindsModal.vue";
-import { finalPermissionMessages } from "@modrinth/moderation/data/modpack-permissions-stage";
-import prettier from "prettier";
 
 const keybindsModal = ref<InstanceType<typeof KeybindsModal>>();
 
@@ -419,7 +406,6 @@ const done = ref(false);
 
 function handleModpackPermissionsComplete() {
   modpackPermissionsComplete.value = true;
-  nextStage();
 }
 
 const emit = defineEmits<{
@@ -823,6 +809,31 @@ const isAnyVisibleInputs = computed(() => {
   });
 });
 
+function getModpackFilesFromStorage(): {
+  interactive: ModerationModpackItem[];
+  permanentNo: ModerationModpackItem[];
+} {
+  try {
+    const sessionData = sessionStorage.getItem(`modpack-permissions-data-${props.project.id}`);
+    const interactive = sessionData ? (JSON.parse(sessionData) as ModerationModpackItem[]) : [];
+
+    const permanentNoData = sessionStorage.getItem(
+      `modpack-permissions-permanent-no-${props.project.id}`,
+    );
+    const permanentNo = permanentNoData
+      ? (JSON.parse(permanentNoData) as ModerationModpackItem[])
+      : [];
+
+    return {
+      interactive: interactive || [],
+      permanentNo: permanentNo || [],
+    };
+  } catch (error) {
+    console.warn("Failed to parse session storage modpack data:", error);
+    return { interactive: [], permanentNo: [] };
+  }
+}
+
 async function assembleFullMessage() {
   const messageParts: MessagePart[] = [];
 
@@ -1092,13 +1103,14 @@ async function generateMessage() {
     const baseMessage = await assembleFullMessage();
     let fullMessage = baseMessage;
 
-    if (
+    if (props.project.project_type === "modpack") {
-      props.project.project_type === "modpack" &&
+      const modpackFilesData = getModpackFilesFromStorage();
-      Object.keys(modpackJudgements.value).length > 0
+
-    ) {
+      if (modpackFilesData.interactive.length > 0 || modpackFilesData.permanentNo.length > 0) {
-      const modpackMessage = generateModpackMessage(modpackJudgements.value);
+        const modpackMessage = generateModpackMessage(modpackFilesData);
-      if (modpackMessage) {
+        if (modpackMessage) {
-        fullMessage = baseMessage ? `${baseMessage}\n\n${modpackMessage}` : modpackMessage;
+          fullMessage = baseMessage ? `${baseMessage}\n\n${modpackMessage}` : modpackMessage;
+        }
       }
     }
 
@@ -1129,25 +1141,32 @@ async function generateMessage() {
   }
 }
 
-function generateModpackMessage(judgements: ModerationJudgements) {
+function generateModpackMessage(allFiles: {
+  interactive: ModerationModpackItem[];
+  permanentNo: ModerationModpackItem[];
+}) {
   const issues = [];
 
-  const attributeMods = [];
+  const attributeMods: string[] = [];
-  const noMods = [];
+  const noMods: string[] = [];
-  const permanentNoMods = [];
+  const permanentNoMods: string[] = [];
-  const unidentifiedMods = [];
+  const unidentifiedMods: string[] = [];
 
-  for (const [, judgement] of Object.entries(judgements)) {
+  allFiles.interactive.forEach((file) => {
-    if (judgement.status === "with-attribution") {
+    if (file.status === "unidentified") {
-      attributeMods.push(judgement.file_name);
+      if (file.approved === "no") {
-    } else if (judgement.status === "no") {
+        unidentifiedMods.push(file.file_name);
-      noMods.push(judgement.file_name);
+      }
-    } else if (judgement.status === "permanent-no") {
+    } else if (file.status === "with-attribution" && file.approved === "no") {
-      permanentNoMods.push(judgement.file_name);
+      attributeMods.push(file.file_name);
-    } else if (judgement.status === "unidentified") {
+    } else if (file.status === "no" && file.approved === "no") {
-      unidentifiedMods.push(judgement.file_name);
+      noMods.push(file.file_name);
     }
-  }
+  });
+
+  allFiles.permanentNo.forEach((file) => {
+    permanentNoMods.push(file.file_name);
+  });
 
   if (
     attributeMods.length > 0 ||
@@ -1157,6 +1176,12 @@ function generateModpackMessage(judgements: ModerationJudgements) {
   ) {
     issues.push("## Copyrighted content");
 
+    if (unidentifiedMods.length > 0) {
+      issues.push(
+        `${finalPermissionMessages.unidentified}\n${unidentifiedMods.map((mod) => `- ${mod}`).join("\n")}`,
+      );
+    }
+
     if (attributeMods.length > 0) {
       issues.push(
         `${finalPermissionMessages["with-attribution"]}\n${attributeMods.map((mod) => `- ${mod}`).join("\n")}`,
@@ -1172,12 +1197,6 @@ function generateModpackMessage(judgements: ModerationJudgements) {
         `${finalPermissionMessages["permanent-no"]}\n${permanentNoMods.map((mod) => `- ${mod}`).join("\n")}`,
       );
     }
-
-    if (unidentifiedMods.length > 0) {
-      issues.push(
-        `${finalPermissionMessages["unidentified"]}\n${unidentifiedMods.map((mod) => `- ${mod}`).join("\n")}`,
-      );
-    }
   }
 
   return issues.join("\n\n");

apps/frontend/src/pages/admin/billing/[id].vue

@@ -150,9 +150,26 @@
                   </template>
                 </span>
                 <span class="text-sm text-secondary">
+                  <span
+                    v-if="charge.status === 'cancelled' && $dayjs(charge.due).isBefore($dayjs())"
+                    class="font-bold"
+                  >
+                    Ended:
+                  </span>
+                  <span v-else-if="charge.status === 'cancelled'" class="font-bold">Ends:</span>
+                  <span v-else-if="charge.type === 'refund'" class="font-bold">Issued:</span>
+                  <span v-else class="font-bold">Due:</span>
                   {{ dayjs(charge.due).format("MMMM D, YYYY [at] h:mma") }}
                   <span class="text-secondary">({{ formatRelativeTime(charge.due) }}) </span>
                 </span>
+                <span v-if="charge.last_attempt != null" class="text-sm text-secondary">
+                  <span v-if="charge.status === 'failed'" class="font-bold">Last attempt:</span>
+                  <span v-else class="font-bold">Charged:</span>
+                  {{ dayjs(charge.last_attempt).format("MMMM D, YYYY [at] h:mma") }}
+                  <span class="text-secondary"
+                    >({{ formatRelativeTime(charge.last_attempt) }})
+                  </span>
+                </span>
                 <div class="flex w-full items-center gap-1 text-xs text-secondary">
                   {{ charge.status }}
                   ⋅

apps/frontend/src/pages/auth/sign-in.vue

@@ -1,6 +1,12 @@
 <template>
-  <div>
+  <div v-if="subtleLauncherRedirectUri">
-    <template v-if="flow">
+    <iframe
+      :src="subtleLauncherRedirectUri"
+      class="fixed left-0 top-0 z-[9999] m-0 h-full w-full border-0 p-0"
+    ></iframe>
+  </div>
+  <div v-else>
+    <template v-if="flow && !subtleLauncherRedirectUri">
       <label for="two-factor-code">
         <span class="label__title">{{ formatMessage(messages.twoFactorCodeLabel) }}</span>
         <span class="label__description">
@@ -189,6 +195,7 @@ const auth = await useAuth();
 const route = useNativeRoute();
 
 const redirectTarget = route.query.redirect || "";
+const subtleLauncherRedirectUri = ref();
 
 if (route.query.code && !route.fullPath.includes("new_account=true")) {
   await finishSignIn();
@@ -262,7 +269,32 @@ async function begin2FASignIn() {
 
 async function finishSignIn(token) {
   if (route.query.launcher) {
-    await navigateTo(`https://launcher-files.modrinth.com/?code=${token}`, { external: true });
+    if (!token) {
+      token = auth.value.token;
+    }
+
+    const usesLocalhostRedirectionScheme =
+      ["4", "6"].includes(route.query.ipver) && Number(route.query.port) < 65536;
+
+    const redirectUrl = usesLocalhostRedirectionScheme
+      ? `http://${route.query.ipver === "4" ? "127.0.0.1" : "[::1]"}:${route.query.port}/?code=${token}`
+      : `https://launcher-files.modrinth.com/?code=${token}`;
+
+    if (usesLocalhostRedirectionScheme) {
+      // When using this redirection scheme, the auth token is very visible in the URL to the user.
+      // While we could make it harder to find with a POST request, such is security by obscurity:
+      // the user and other applications would still be able to sniff the token in the request body.
+      // So, to make the UX a little better by not changing the displayed URL, while keeping the
+      // token hidden from very casual observation and keeping the protocol as close to OAuth's
+      // standard flows as possible, let's execute the redirect within an iframe that visually
+      // covers the entire page.
+      subtleLauncherRedirectUri.value = redirectUrl;
+    } else {
+      await navigateTo(redirectUrl, {
+        external: true,
+      });
+    }
+
     return;
   }
 

apps/frontend/src/pages/auth/sign-up.vue

@@ -247,16 +247,14 @@ async function createAccount() {
       },
     });
 
-    if (route.query.launcher) {
-      await navigateTo(`https://launcher-files.modrinth.com/?code=${res.session}`, {
-        external: true,
-      });
-      return;
-    }
-
     await useAuth(res.session);
     await useUser();
 
+    if (route.query.launcher) {
+      await navigateTo({ path: "/auth/sign-in", query: route.query });
+      return;
+    }
+
     if (route.query.redirect) {
       await navigateTo(route.query.redirect);
     } else {

apps/labrinth/Dockerfile

@@ -1,8 +1,21 @@
+# syntax=docker/dockerfile:1
+
 FROM rust:1.88.0 AS build
 
 WORKDIR /usr/src/labrinth
 COPY . .
-RUN SQLX_OFFLINE=true cargo build --release --package labrinth
+RUN --mount=type=cache,target=/usr/src/labrinth/target \
+  --mount=type=cache,target=/usr/local/cargo/git/db \
+  --mount=type=cache,target=/usr/local/cargo/registry \
+  SQLX_OFFLINE=true cargo build --release --package labrinth
+
+FROM build AS artifacts
+
+RUN --mount=type=cache,target=/usr/src/labrinth/target \
+  mkdir /labrinth \
+  && cp /usr/src/labrinth/target/release/labrinth /labrinth/labrinth \
+  && cp -r /usr/src/labrinth/apps/labrinth/migrations /labrinth \
+  && cp -r /usr/src/labrinth/apps/labrinth/assets /labrinth
 
 FROM debian:bookworm-slim
 
@@ -14,10 +27,8 @@ RUN apt-get update \
   && apt-get install -y --no-install-recommends ca-certificates dumb-init curl \
   && rm -rf /var/lib/apt/lists/*
 
-COPY --from=build /usr/src/labrinth/target/release/labrinth /labrinth/labrinth
+COPY --from=artifacts /labrinth /labrinth
-COPY --from=build /usr/src/labrinth/apps/labrinth/migrations/* /labrinth/migrations/
-COPY --from=build /usr/src/labrinth/apps/labrinth/assets /labrinth/assets
-WORKDIR /labrinth
 
+WORKDIR /labrinth
 ENTRYPOINT ["dumb-init", "--"]
 CMD ["/labrinth/labrinth"]

packages/app-lib/.env.local

@@ -1,2 +1,10 @@
-# SQLite database file location
+MODRINTH_URL=http://localhost:3000/
-DATABASE_URL=sqlite:///tmp/Modrinth/code/packages/app-lib/.sqlx/generated/state.db
+MODRINTH_API_URL=http://127.0.0.1:8000/v2/
+MODRINTH_API_URL_V3=http://127.0.0.1:8000/v3/
+MODRINTH_SOCKET_URL=ws://127.0.0.1:8000/
+MODRINTH_LAUNCHER_META_URL=https://launcher-meta.modrinth.com/
+
+# SQLite database file used by sqlx for type checking. Uncomment this to a valid path
+# in your system and run `cargo sqlx database setup` to generate an empty database that
+# can be used for developing the app DB schema
+#DATABASE_URL=sqlite:///tmp/Modrinth/code/packages/app-lib/.sqlx/generated/state.db

packages/app-lib/.env.prod

@@ -0,0 +1,10 @@
+MODRINTH_URL=https://modrinth.com/
+MODRINTH_API_URL=https://api.modrinth.com/v2/
+MODRINTH_API_URL_V3=https://api.modrinth.com/v3/
+MODRINTH_SOCKET_URL=wss://api.modrinth.com/
+MODRINTH_LAUNCHER_META_URL=https://launcher-meta.modrinth.com/
+
+# SQLite database file used by sqlx for type checking. Uncomment this to a valid path
+# in your system and run `cargo sqlx database setup` to generate an empty database that
+# can be used for developing the app DB schema
+#DATABASE_URL=sqlite:///tmp/Modrinth/code/packages/app-lib/.sqlx/generated/state.db

packages/app-lib/.env.staging

@@ -0,0 +1,10 @@
+MODRINTH_URL=https://staging.modrinth.com/
+MODRINTH_API_URL=https://staging-api.modrinth.com/v2/
+MODRINTH_API_URL_V3=https://staging-api.modrinth.com/v3/
+MODRINTH_SOCKET_URL=wss://staging-api.modrinth.com/
+MODRINTH_LAUNCHER_META_URL=https://launcher-meta.modrinth.com/
+
+# SQLite database file used by sqlx for type checking. Uncomment this to a valid path
+# in your system and run `cargo sqlx database setup` to generate an empty database that
+# can be used for developing the app DB schema
+#DATABASE_URL=sqlite:///tmp/Modrinth/code/packages/app-lib/.sqlx/generated/state.db

packages/app-lib/Cargo.toml

@@ -82,6 +82,7 @@ ariadne.workspace = true
 winreg.workspace = true
 
 [build-dependencies]
+dotenvy.workspace = true
 dunce.workspace = true
 
 [features]

packages/app-lib/build.rs

@@ -4,12 +4,31 @@ use std::process::{Command, exit};
 use std::{env, fs};
 
 fn main() {
+    println!("cargo::rerun-if-changed=.env");
     println!("cargo::rerun-if-changed=java/gradle");
     println!("cargo::rerun-if-changed=java/src");
     println!("cargo::rerun-if-changed=java/build.gradle.kts");
     println!("cargo::rerun-if-changed=java/settings.gradle.kts");
     println!("cargo::rerun-if-changed=java/gradle.properties");
 
+    set_env();
+    build_java_jars();
+}
+
+fn set_env() {
+    for (var_name, var_value) in
+        dotenvy::dotenv_iter().into_iter().flatten().flatten()
+    {
+        if var_name == "DATABASE_URL" {
+            // The sqlx database URL is a build-time detail that should not be exposed to the crate
+            continue;
+        }
+
+        println!("cargo::rustc-env={var_name}={var_value}");
+    }
+}
+
+fn build_java_jars() {
     let out_dir =
         dunce::canonicalize(PathBuf::from(env::var_os("OUT_DIR").unwrap()))
             .unwrap();
@@ -37,6 +56,7 @@ fn main() {
         .current_dir(dunce::canonicalize("java").unwrap())
         .status()
         .expect("Failed to wait on Gradle build");
+
     if !exit_status.success() {
         println!("cargo::error=Gradle build failed with {exit_status}");
         exit(exit_status.code().unwrap_or(1));

packages/app-lib/src/api/mr_auth.rs

@@ -1,7 +1,7 @@
 use crate::state::ModrinthCredentials;
 
 #[tracing::instrument]
-pub fn authenticate_begin_flow() -> String {
+pub fn authenticate_begin_flow() -> &'static str {
     crate::state::get_login_url()
 }
 

packages/app-lib/src/config.rs

@@ -1,13 +0,0 @@
-//! Configuration structs
-
-// pub const MODRINTH_URL: &str = "https://staging.modrinth.com/";
-// pub const MODRINTH_API_URL: &str = "https://staging-api.modrinth.com/v2/";
-// pub const MODRINTH_API_URL_V3: &str = "https://staging-api.modrinth.com/v3/";
-
-pub const MODRINTH_URL: &str = "https://modrinth.com/";
-pub const MODRINTH_API_URL: &str = "https://api.modrinth.com/v2/";
-pub const MODRINTH_API_URL_V3: &str = "https://api.modrinth.com/v3/";
-
-pub const MODRINTH_SOCKET_URL: &str = "wss://api.modrinth.com/";
-
-pub const META_URL: &str = "https://launcher-meta.modrinth.com/";

packages/app-lib/src/lib.rs

@@ -11,7 +11,6 @@ and launching Modrinth mod packs
 pub mod util; // [AR] Refactor
 
 mod api;
-mod config;
 mod error;
 mod event;
 mod launcher;

packages/app-lib/src/state/cache.rs

@@ -1,4 +1,3 @@
-use crate::config::{META_URL, MODRINTH_API_URL, MODRINTH_API_URL_V3};
 use crate::state::ProjectType;
 use crate::util::fetch::{FetchSemaphore, fetch_json, sha1_async};
 use chrono::{DateTime, Utc};
@@ -8,6 +7,7 @@ use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 use sqlx::SqlitePool;
 use std::collections::HashMap;
+use std::env;
 use std::fmt::Display;
 use std::hash::Hash;
 use std::path::{Path, PathBuf};
@@ -945,7 +945,7 @@ impl CachedEntry {
             CacheValueType::Project => {
                 fetch_original_values!(
                     Project,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "projects",
                     CacheValue::Project
                 )
@@ -953,7 +953,7 @@ impl CachedEntry {
             CacheValueType::Version => {
                 fetch_original_values!(
                     Version,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "versions",
                     CacheValue::Version
                 )
@@ -961,7 +961,7 @@ impl CachedEntry {
             CacheValueType::User => {
                 fetch_original_values!(
                     User,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "users",
                     CacheValue::User
                 )
@@ -969,7 +969,7 @@ impl CachedEntry {
             CacheValueType::Team => {
                 let mut teams = fetch_many_batched::<Vec<TeamMember>>(
                     Method::GET,
-                    MODRINTH_API_URL_V3,
+                    env!("MODRINTH_API_URL_V3"),
                     "teams?ids=",
                     &keys,
                     fetch_semaphore,
@@ -1008,7 +1008,7 @@ impl CachedEntry {
             CacheValueType::Organization => {
                 let mut orgs = fetch_many_batched::<Organization>(
                     Method::GET,
-                    MODRINTH_API_URL_V3,
+                    env!("MODRINTH_API_URL_V3"),
                     "organizations?ids=",
                     &keys,
                     fetch_semaphore,
@@ -1063,7 +1063,7 @@ impl CachedEntry {
             CacheValueType::File => {
                 let mut versions = fetch_json::<HashMap<String, Version>>(
                     Method::POST,
-                    &format!("{MODRINTH_API_URL}version_files"),
+                    concat!(env!("MODRINTH_API_URL"), "version_files"),
                     None,
                     Some(serde_json::json!({
                         "algorithm": "sha1",
@@ -1119,7 +1119,11 @@ impl CachedEntry {
                     .map(|x| {
                         (
                             x.key().to_string(),
-                            format!("{META_URL}{}/v0/manifest.json", x.key()),
+                            format!(
+                                "{}{}/v0/manifest.json",
+                                env!("MODRINTH_LAUNCHER_META_URL"),
+                                x.key()
+                            ),
                         )
                     })
                     .collect::<Vec<_>>();
@@ -1154,7 +1158,7 @@ impl CachedEntry {
             CacheValueType::MinecraftManifest => {
                 fetch_original_value!(
                     MinecraftManifest,
-                    META_URL,
+                    env!("MODRINTH_LAUNCHER_META_URL"),
                     format!(
                         "minecraft/v{}/manifest.json",
                         daedalus::minecraft::CURRENT_FORMAT_VERSION
@@ -1165,7 +1169,7 @@ impl CachedEntry {
             CacheValueType::Categories => {
                 fetch_original_value!(
                     Categories,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "tag/category",
                     CacheValue::Categories
                 )
@@ -1173,7 +1177,7 @@ impl CachedEntry {
             CacheValueType::ReportTypes => {
                 fetch_original_value!(
                     ReportTypes,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "tag/report_type",
                     CacheValue::ReportTypes
                 )
@@ -1181,7 +1185,7 @@ impl CachedEntry {
             CacheValueType::Loaders => {
                 fetch_original_value!(
                     Loaders,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "tag/loader",
                     CacheValue::Loaders
                 )
@@ -1189,7 +1193,7 @@ impl CachedEntry {
             CacheValueType::GameVersions => {
                 fetch_original_value!(
                     GameVersions,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "tag/game_version",
                     CacheValue::GameVersions
                 )
@@ -1197,7 +1201,7 @@ impl CachedEntry {
             CacheValueType::DonationPlatforms => {
                 fetch_original_value!(
                     DonationPlatforms,
-                    MODRINTH_API_URL,
+                    env!("MODRINTH_API_URL"),
                     "tag/donation_platform",
                     CacheValue::DonationPlatforms
                 )
@@ -1297,14 +1301,12 @@ impl CachedEntry {
                     }
                 });
 
-                let version_update_url =
-                    format!("{MODRINTH_API_URL}version_files/update");
                 let variations =
                     futures::future::try_join_all(filtered_keys.iter().map(
                         |((loaders_key, game_version), hashes)| {
                             fetch_json::<HashMap<String, Version>>(
                                 Method::POST,
-                                &version_update_url,
+                                concat!(env!("MODRINTH_API_URL"), "version_files/update"),
                                 None,
                                 Some(serde_json::json!({
                                     "algorithm": "sha1",
@@ -1368,7 +1370,11 @@ impl CachedEntry {
                     .map(|x| {
                         (
                             x.key().to_string(),
-                            format!("{MODRINTH_API_URL}search{}", x.key()),
+                            format!(
+                                "{}search{}",
+                                env!("MODRINTH_API_URL"),
+                                x.key()
+                            ),
                         )
                     })
                     .collect::<Vec<_>>();

packages/app-lib/src/state/friends.rs

@@ -1,4 +1,3 @@
-use crate::config::{MODRINTH_API_URL_V3, MODRINTH_SOCKET_URL};
 use crate::data::ModrinthCredentials;
 use crate::event::FriendPayload;
 use crate::event::emit::emit_friend;
@@ -77,7 +76,8 @@ impl FriendsSocket {
 
         if let Some(credentials) = credentials {
             let mut request = format!(
-                "{MODRINTH_SOCKET_URL}_internal/launcher_socket?code={}",
+                "{}_internal/launcher_socket?code={}",
+                env!("MODRINTH_SOCKET_URL"),
                 credentials.session
             )
             .into_client_request()?;
@@ -303,7 +303,7 @@ impl FriendsSocket {
     ) -> crate::Result<Vec<UserFriend>> {
         fetch_json(
             Method::GET,
-            &format!("{MODRINTH_API_URL_V3}friends"),
+            concat!(env!("MODRINTH_API_URL_V3"), "friends"),
             None,
             None,
             semaphore,
@@ -328,7 +328,7 @@ impl FriendsSocket {
     ) -> crate::Result<()> {
         fetch_advanced(
             Method::POST,
-            &format!("{MODRINTH_API_URL_V3}friend/{user_id}"),
+            &format!("{}friend/{user_id}", env!("MODRINTH_API_URL_V3")),
             None,
             None,
             None,
@@ -349,7 +349,7 @@ impl FriendsSocket {
     ) -> crate::Result<()> {
         fetch_advanced(
             Method::DELETE,
-            &format!("{MODRINTH_API_URL_V3}friend/{user_id}"),
+            &format!("{}friend/{user_id}", env!("MODRINTH_API_URL_V3")),
             None,
             None,
             None,

packages/app-lib/src/state/minecraft_auth.rs

@@ -85,21 +85,18 @@ pub struct MinecraftLoginFlow {
     pub verifier: String,
     pub challenge: String,
     pub session_id: String,
-    pub redirect_uri: String,
+    pub auth_request_uri: String,
 }
 
 #[tracing::instrument]
 pub async fn login_begin(
     exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite> + Copy,
 ) -> crate::Result<MinecraftLoginFlow> {
-    let (pair, current_date, valid_date) =
+    let (pair, current_date) =
-        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), false, exec)
+        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), exec).await?;
-            .await?;
 
     let verifier = generate_oauth_challenge();
-    let mut hasher = sha2::Sha256::new();
+    let result = sha2::Sha256::digest(&verifier);
-    hasher.update(&verifier);
-    let result = hasher.finalize();
     let challenge = BASE64_URL_SAFE_NO_PAD.encode(result);
 
     match sisu_authenticate(
@@ -110,46 +107,15 @@ pub async fn login_begin(
     )
     .await
     {
-        Ok((session_id, redirect_uri)) => Ok(MinecraftLoginFlow {
+        Ok((session_id, redirect_uri)) => {
-            verifier,
+            return Ok(MinecraftLoginFlow {
-            challenge,
+                verifier,
-            session_id,
+                challenge,
-            redirect_uri: redirect_uri.value.msa_oauth_redirect,
+                session_id,
-        }),
+                auth_request_uri: redirect_uri.value.msa_oauth_redirect,
-        Err(err) => {
+            });
-            if !valid_date {
-                let (pair, current_date, _) =
-                    DeviceTokenPair::refresh_and_get_device_token(
-                        Utc::now(),
-                        false,
-                        exec,
-                    )
-                    .await?;
-
-                let verifier = generate_oauth_challenge();
-                let mut hasher = sha2::Sha256::new();
-                hasher.update(&verifier);
-                let result = hasher.finalize();
-                let challenge = BASE64_URL_SAFE_NO_PAD.encode(result);
-
-                let (session_id, redirect_uri) = sisu_authenticate(
-                    &pair.token.token,
-                    &challenge,
-                    &pair.key,
-                    current_date,
-                )
-                .await?;
-
-                Ok(MinecraftLoginFlow {
-                    verifier,
-                    challenge,
-                    session_id,
-                    redirect_uri: redirect_uri.value.msa_oauth_redirect,
-                })
-            } else {
-                Err(crate::ErrorKind::from(err).into())
-            }
         }
+        Err(err) => return Err(crate::ErrorKind::from(err).into()),
     }
 }
 
@@ -159,9 +125,8 @@ pub async fn login_finish(
     flow: MinecraftLoginFlow,
     exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite> + Copy,
 ) -> crate::Result<Credentials> {
-    let (pair, _, _) =
+    let (pair, _) =
-        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), false, exec)
+        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), exec).await?;
-            .await?;
 
     let oauth_token = oauth_token(code, &flow.verifier).await?;
     let sisu_authorize = sisu_authorize(
@@ -351,10 +316,9 @@ impl Credentials {
         }
 
         let oauth_token = oauth_refresh(&self.refresh_token).await?;
-        let (pair, current_date, _) =
+        let (pair, current_date) =
             DeviceTokenPair::refresh_and_get_device_token(
                 oauth_token.date,
-                false,
                 exec,
             )
             .await?;
@@ -722,21 +686,20 @@ impl DeviceTokenPair {
     #[tracing::instrument(skip(exec))]
     async fn refresh_and_get_device_token(
         current_date: DateTime<Utc>,
-        force_generate: bool,
         exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite> + Copy,
-    ) -> crate::Result<(Self, DateTime<Utc>, bool)> {
+    ) -> crate::Result<(Self, DateTime<Utc>)> {
         let pair = Self::get(exec).await?;
 
         if let Some(mut pair) = pair {
-            if pair.token.not_after > Utc::now() && !force_generate {
+            if pair.token.not_after > current_date {
-                Ok((pair, current_date, false))
+                Ok((pair, current_date))
             } else {
                 let res = device_token(&pair.key, current_date).await?;
 
                 pair.token = res.value;
                 pair.upsert(exec).await?;
 
-                Ok((pair, res.date, true))
+                Ok((pair, res.date))
             }
         } else {
             let key = generate_key()?;
@@ -749,7 +712,7 @@ impl DeviceTokenPair {
 
             pair.upsert(exec).await?;
 
-            Ok((pair, res.date, true))
+            Ok((pair, res.date))
         }
     }
 
@@ -847,8 +810,8 @@ impl DeviceTokenPair {
 }
 
 const MICROSOFT_CLIENT_ID: &str = "00000000402b5328";
-const REDIRECT_URL: &str = "https://login.live.com/oauth20_desktop.srf";
+const AUTH_REPLY_URL: &str = "https://login.live.com/oauth20_desktop.srf";
-const REQUESTED_SCOPES: &str = "service::user.auth.xboxlive.com::MBI_SSL";
+const REQUESTED_SCOPE: &str = "service::user.auth.xboxlive.com::MBI_SSL";
 
 /* [AR] Fix
  * Weird visibility issue that didn't reproduce before
@@ -931,7 +894,7 @@ async fn sisu_authenticate(
           "AppId": MICROSOFT_CLIENT_ID,
           "DeviceToken": token,
           "Offers": [
-            REQUESTED_SCOPES
+            REQUESTED_SCOPE
           ],
           "Query": {
             "code_challenge": challenge,
@@ -939,7 +902,7 @@ async fn sisu_authenticate(
             "state": generate_oauth_challenge(),
             "prompt": "select_account"
           },
-          "RedirectUri": REDIRECT_URL,
+          "RedirectUri": AUTH_REPLY_URL,
           "Sandbox": "RETAIL",
           "TokenType": "code",
           "TitleId": "1794566092",
@@ -983,12 +946,12 @@ async fn oauth_token(
     verifier: &str,
 ) -> Result<RequestWithDate<OAuthToken>, MinecraftAuthenticationError> {
     let mut query = HashMap::new();
-    query.insert("client_id", "00000000402b5328");
+    query.insert("client_id", MICROSOFT_CLIENT_ID);
     query.insert("code", code);
     query.insert("code_verifier", verifier);
     query.insert("grant_type", "authorization_code");
-    query.insert("redirect_uri", "https://login.live.com/oauth20_desktop.srf");
+    query.insert("redirect_uri", AUTH_REPLY_URL);
-    query.insert("scope", "service::user.auth.xboxlive.com::MBI_SSL");
+    query.insert("scope", REQUESTED_SCOPE);
 
     let res = auth_retry(|| {
         REQWEST_CLIENT
@@ -1032,11 +995,11 @@ async fn oauth_refresh(
     refresh_token: &str,
 ) -> Result<RequestWithDate<OAuthToken>, MinecraftAuthenticationError> {
     let mut query = HashMap::new();
-    query.insert("client_id", "00000000402b5328");
+    query.insert("client_id", MICROSOFT_CLIENT_ID);
     query.insert("refresh_token", refresh_token);
     query.insert("grant_type", "refresh_token");
-    query.insert("redirect_uri", "https://login.live.com/oauth20_desktop.srf");
+    query.insert("redirect_uri", AUTH_REPLY_URL);
-    query.insert("scope", "service::user.auth.xboxlive.com::MBI_SSL");
+    query.insert("scope", REQUESTED_SCOPE);
 
     let res = auth_retry(|| {
         REQWEST_CLIENT
@@ -1100,7 +1063,7 @@ async fn sisu_authorize(
         "/authorize",
         json!({
             "AccessToken": format!("t={access_token}"),
-            "AppId": "00000000402b5328",
+            "AppId": MICROSOFT_CLIENT_ID,
             "DeviceToken": device_token,
             "ProofKey": {
                 "kty": "EC",

packages/app-lib/src/state/mr_auth.rs

@@ -1,4 +1,3 @@
-use crate::config::{MODRINTH_API_URL, MODRINTH_URL};
 use crate::state::{CacheBehaviour, CachedEntry};
 use crate::util::fetch::{FetchSemaphore, fetch_advanced};
 use chrono::{DateTime, Duration, TimeZone, Utc};
@@ -31,7 +30,7 @@ impl ModrinthCredentials {
 
                 let resp = fetch_advanced(
                     Method::POST,
-                    &format!("{MODRINTH_API_URL}session/refresh"),
+                    concat!(env!("MODRINTH_API_URL"), "session/refresh"),
                     None,
                     None,
                     Some(("Authorization", &*creds.session)),
@@ -190,8 +189,8 @@ impl ModrinthCredentials {
     }
 }
 
-pub fn get_login_url() -> String {
+pub const fn get_login_url() -> &'static str {
-    format!("{MODRINTH_URL}auth/sign-in?launcher=true")
+    concat!(env!("MODRINTH_URL"), "auth/sign-in")
 }
 
 pub async fn finish_login_flow(
@@ -199,6 +198,12 @@ pub async fn finish_login_flow(
     semaphore: &FetchSemaphore,
     exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite>,
 ) -> crate::Result<ModrinthCredentials> {
+    // The authorization code actually is the access token, since Labrinth doesn't
+    // issue separate authorization codes. Therefore, this is equivalent to an
+    // implicit OAuth grant flow, and no additional exchanging or finalization is
+    // needed. TODO not do this for the reasons outlined at
+    // https://oauth.net/2/grant-types/implicit/
+
     let info = fetch_info(code, semaphore, exec).await?;
 
     Ok(ModrinthCredentials {
@@ -216,7 +221,7 @@ async fn fetch_info(
 ) -> crate::Result<crate::state::cache::User> {
     let result = fetch_advanced(
         Method::GET,
-        &format!("{MODRINTH_API_URL}user"),
+        concat!(env!("MODRINTH_API_URL"), "user"),
         None,
         None,
         Some(("Authorization", token)),

packages/app-lib/src/util/fetch.rs

@@ -1,6 +1,5 @@
 //! Functions for fetching information from the Internet
 use super::io::{self, IOError};
-use crate::config::{MODRINTH_API_URL, MODRINTH_API_URL_V3};
 use crate::event::LoadingBarId;
 use crate::event::emit::emit_loading;
 use bytes::Bytes;
@@ -84,8 +83,8 @@ pub async fn fetch_advanced(
         .as_ref()
         .is_none_or(|x| &*x.0.to_lowercase() != "authorization")
         && (url.starts_with("https://cdn.modrinth.com")
-            || url.starts_with(MODRINTH_API_URL)
+            || url.starts_with(env!("MODRINTH_API_URL"))
-            || url.starts_with(MODRINTH_API_URL_V3))
+            || url.starts_with(env!("MODRINTH_API_URL_V3")))
     {
         crate::state::ModrinthCredentials::get_active(exec).await?
     } else {

packages/moderation/index.ts

@@ -3,6 +3,7 @@ export * from './types/messages'
 export * from './types/stage'
 export * from './types/keybinds'
 export * from './utils'
+export { finalPermissionMessages } from './data/modpack-permissions-stage'
 
 export { default as checklist } from './data/checklist'
 export { default as keybinds } from './data/keybinds'

packages/utils/types.ts

@@ -315,7 +315,7 @@ export interface ModerationPermissionType {
 export interface ModerationBaseModpackItem {
   sha1: string
   file_name: string
-  type: 'unknown' | 'flame'
+  type: 'unknown' | 'flame' | 'identified'
   status: ModerationModpackPermissionApprovalType['id'] | null
   approved: ModerationPermissionType['id'] | null
 }
@@ -334,9 +334,26 @@ export interface ModerationFlameModpackItem extends ModerationBaseModpackItem {
   url: string
 }
 
-export type ModerationModpackItem = ModerationUnknownModpackItem | ModerationFlameModpackItem
+export interface ModerationIdentifiedModpackItem extends ModerationBaseModpackItem {
+  type: 'identified'
+  proof?: string
+  url?: string
+  title?: string
+}
+
+export type ModerationModpackItem =
+  | ModerationUnknownModpackItem
+  | ModerationFlameModpackItem
+  | ModerationIdentifiedModpackItem
 
 export interface ModerationModpackResponse {
+  identified?: Record<
+    string,
+    {
+      file_name: string
+      status: ModerationModpackPermissionApprovalType['id']
+    }
+  >
   unknown_files?: Record<string, string>
   flame_files?: Record<
     string,
@@ -350,8 +367,8 @@ export interface ModerationModpackResponse {
 }
 
 export interface ModerationJudgement {
-  type: 'flame' | 'unknown'
+  type: 'flame' | 'unknown' | 'identified'
-  status: string
+  status: string | null
   id?: string
   link?: string
   title?: string