Allow manually setting the skin url to be used
Closed this issue · 3 comments
For example to use skins from textures.minecraft.net so you dont need mods
I have a version here that has this but i can't program so the code is probably bad
Serving Mojang skin urls to get skins working in Vanilla is an excellent idea, I love this.
Having the user enter their own URL is one option, I am not totally against that. There is a slight security issue, imagine:
- Mallory wants to dox Alice. Mallory sets her skin url to a webpage she controls
- Alice logs on to the server with a modded client that accepts skins from any domain (there are probably skin mods that do this?)
- Alice loads Mallory's skin and Mallory learns her IP address
It's not a huge deal, but in online games there is a passive assumption that your IP address is private to the other players.
To mitigate that problem, you could validate the skin URL against the configured list of skin domains.
Or, here's what I prefer: since there is already skin forwarding to fallback API servers, what if the user could enter a "skin fallback username", and when Drasl looks for a fallback skin, it looks for that username's skin instead of the skin for the UUID of the Drasl account. So instead of the UX being "find the link to the texture on textures.minecraft.net", it becomes "type the name of the Mojang user's skin you want to use". I think the code would be simpler too.
Another issue with letting the user specify their own URL: before 1.20, the Notchian client hardcoded the Mojang public key used for verifying the signature of the textures property returned from https://sessionserver.mojang.com/session/minecraft/profile/<uuid> and https://sessionserver.mojang.com/session/minecraft/hasJoined. So we can't pass the game our own URL, it has to come signed from Mojang.
Drasl's "skin forwarding" works around this by forwarding the whole textures property, not just grabbing the skin URL and re-signing it. So skin forwarding should work in all versions, but setting a custom URL can only work in 1.20+, or with a modded client, which defeats the purpose of hosting skins on textures.minecraft.net.
I changed the name of the SkinForwarding option to ForwardSkins and added a "Fallback Player" setting to the web UI so you can set the name or UUID of the player whose skin you want to use.