+93 -2

src/client/kotlin/com/jollywhoppers/AtprotoconnectClient.kt

reviewed

··· 1 1 package com.jollywhoppers 2 2 3 3 + import com.jollywhoppers.atproto.ClientAtProtoClient 4 4 + import com.jollywhoppers.atproto.ClientAtProtoCommands 5 5 + import com.jollywhoppers.atproto.ClientSessionManager 6 6 + import com.jollywhoppers.network.AtProtoPackets 3 7 import net.fabricmc.api.ClientModInitializer 8 8 + import net.fabricmc.fabric.api.client.command.v2.ClientCommandRegistrationCallback 9 9 + import net.fabricmc.fabric.api.client.networking.v1.ClientPlayNetworking 10 10 + import net.fabricmc.fabric.api.networking.v1.PayloadTypeRegistry 11 11 + import net.minecraft.client.Minecraft 12 12 + import net.minecraft.network.chat.Component 13 13 + import org.slf4j.LoggerFactory 4 14 5 15 object AtprotoconnectClient : ClientModInitializer { 16 16 + private val logger = LoggerFactory.getLogger("atproto-connect-client") 17 17 + 18 18 + // Client-side AT Protocol components 19 19 + lateinit var atProtoClient: ClientAtProtoClient 20 20 + private set 21 21 + 22 22 + lateinit var sessionManager: ClientSessionManager 23 23 + private set 24 24 + 25 25 + lateinit var commands: ClientAtProtoCommands 26 26 + private set 27 27 + 6 28 override fun onInitializeClient() { 7 7 - // This entrypoint is suitable for setting up client-specific logic, such as rendering. 29 29 + logger.info("Initializing atproto-connect client-side components") 30 30 + 31 31 + try { 32 32 + // Initialize client-side AT Protocol client 33 33 + atProtoClient = ClientAtProtoClient( 34 34 + slingshotUrl = "https://slingshot.microcosm.blue", 35 35 + fallbackPdsUrl = "https://bsky.social" 36 36 + ) 37 37 + logger.info("Client-side AT Protocol client initialized") 38 38 + 39 39 + // Initialize client-side session manager 40 40 + sessionManager = ClientSessionManager(atProtoClient) 41 41 + logger.info("Client-side session manager initialized") 42 42 + 43 43 + // Initialize client-side commands 44 44 + commands = ClientAtProtoCommands(sessionManager) 45 45 + 46 46 + // Register client-side commands 47 47 + ClientCommandRegistrationCallback.EVENT.register { dispatcher, _ -> 48 48 + commands.register(dispatcher) 49 49 + logger.info("Client-side AT Protocol commands registered") 50 50 + } 51 51 + 52 52 + // Register network packet receivers 53 53 + registerNetworkHandlers() 54 54 + 55 55 + logger.info("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━") 56 56 + logger.info("atproto-connect client successfully initialized!") 57 57 + logger.info("Security features:") 58 58 + logger.info(" ✓ Client-side authentication") 59 59 + logger.info(" ✓ Passwords never sent to server") 60 60 + logger.info(" ✓ Local session storage") 61 61 + logger.info("Use /atproto help to see available commands") 62 62 + logger.info("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━") 63 63 + } catch (e: Exception) { 64 64 + logger.error("Failed to initialize atproto-connect client", e) 65 65 + } 66 66 + } 67 67 + 68 68 + /** 69 69 + * Registers handlers for server -> client packets. 70 70 + */ 71 71 + private fun registerNetworkHandlers() { 72 72 + // Register packet types 73 73 + PayloadTypeRegistry.playS2C().register( 74 74 + AtProtoPackets.AuthenticateResponsePacket.TYPE, 75 75 + AtProtoPackets.AuthenticateResponsePacket.CODEC 76 76 + ) 77 77 + 78 78 + // Handle authentication response from server 79 79 + ClientPlayNetworking.registerGlobalReceiver(AtProtoPackets.AuthenticateResponsePacket.TYPE) { packet, context -> 80 80 + context.client().execute { 81 81 + if (packet.success) { 82 82 + Minecraft.getInstance().gui.chat.addMessage( 83 83 + Component.literal("§a✓ Server confirmed authentication!") 84 84 + .append(Component.literal("\n§7${packet.message}")) 85 85 + .append(Component.literal("\n§aYou can now sync your Minecraft data to AT Protocol!")) 86 86 + ) 87 87 + logger.info("Server confirmed authentication: ${packet.message}") 88 88 + } else { 89 89 + Minecraft.getInstance().gui.chat.addMessage( 90 90 + Component.literal("§c✗ Server rejected authentication") 91 91 + .append(Component.literal("\n§7${packet.message}")) 92 92 + ) 93 93 + logger.error("Server rejected authentication: ${packet.message}") 94 94 + } 95 95 + } 96 96 + } 97 97 + 98 98 + logger.info("Network packet handlers registered") 8 99 } 9 9 - } 100 100 + }

+211

src/client/kotlin/com/jollywhoppers/atproto/ClientAtProtoClient.kt

reviewed

··· 1 1 + package com.jollywhoppers.atproto 2 2 + 3 3 + import kotlinx.serialization.Serializable 4 4 + import kotlinx.serialization.json.Json 5 5 + import org.slf4j.LoggerFactory 6 6 + import java.net.InetAddress 7 7 + import java.net.URI 8 8 + import java.net.http.HttpClient 9 9 + import java.net.http.HttpRequest 10 10 + import java.net.http.HttpResponse 11 11 + import java.time.Duration 12 12 + 13 13 + /** 14 14 + * Client-side AT Protocol client. 15 15 + * Handles identity resolution, authentication, and XRPC requests directly from the client. 16 16 + * 17 17 + * SECURITY: All authentication happens on the client - passwords never leave the player's computer. 18 18 + */ 19 19 + class ClientAtProtoClient( 20 20 + private val slingshotUrl: String = "https://slingshot.microcosm.blue", 21 21 + private val fallbackPdsUrl: String = "https://bsky.social" 22 22 + ) { 23 23 + private val logger = LoggerFactory.getLogger("atproto-connect-client") 24 24 + 25 25 + private val httpClient = HttpClient.newBuilder() 26 26 + .connectTimeout(Duration.ofSeconds(10)) 27 27 + .followRedirects(HttpClient.Redirect.NEVER) 28 28 + .build() 29 29 + 30 30 + private val json = Json { 31 31 + ignoreUnknownKeys = true 32 32 + isLenient = true 33 33 + prettyPrint = false 34 34 + } 35 35 + 36 36 + @Serializable 37 37 + data class MiniDoc( 38 38 + val did: String, 39 39 + val handle: String, 40 40 + val pds: String, 41 41 + val pdsKnown: Boolean = false 42 42 + ) 43 43 + 44 44 + @Serializable 45 45 + data class CreateSessionRequest( 46 46 + val identifier: String, 47 47 + val password: String 48 48 + ) 49 49 + 50 50 + @Serializable 51 51 + data class CreateSessionResponse( 52 52 + val did: String, 53 53 + val handle: String, 54 54 + val email: String? = null, 55 55 + val accessJwt: String, 56 56 + val refreshJwt: String 57 57 + ) 58 58 + 59 59 + @Serializable 60 60 + data class RefreshSessionRequest( 61 61 + val refreshJwt: String 62 62 + ) 63 63 + 64 64 + /** 65 65 + * Resolves an identifier to a MiniDoc using Slingshot. 66 66 + */ 67 67 + suspend fun resolveMiniDoc(identifier: String): Result<MiniDoc> = runCatching { 68 68 + logger.info("Resolving identifier via Slingshot: ${sanitize(identifier)}") 69 69 + 70 70 + val url = "$slingshotUrl/xrpc/com.bad-example.identity.resolveMiniDoc?identifier=${encodeURIComponent(identifier)}" 71 71 + 72 72 + val request = HttpRequest.newBuilder() 73 73 + .uri(URI.create(url)) 74 74 + .GET() 75 75 + .timeout(Duration.ofSeconds(10)) 76 76 + .build() 77 77 + 78 78 + val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 79 79 + 80 80 + if (response.statusCode() != 200) { 81 81 + throw Exception("Resolution failed with status ${response.statusCode()}") 82 82 + } 83 83 + 84 84 + val miniDoc = json.decodeFromString<MiniDoc>(response.body()) 85 85 + logger.info("Resolved ${miniDoc.handle} -> PDS: ${miniDoc.pds}") 86 86 + miniDoc 87 87 + } 88 88 + 89 89 + /** 90 90 + * Creates an authenticated session. 91 91 + * This is where the actual login happens on the client. 92 92 + * Password is never sent to your Minecraft server - only to AT Protocol servers. 93 93 + */ 94 94 + suspend fun createSession(identifier: String, password: String): Result<CreateSessionResponse> = runCatching { 95 95 + logger.info("Creating session for: ${sanitize(identifier)}") 96 96 + 97 97 + // Resolve to find the correct PDS 98 98 + val pdsUrl = try { 99 99 + val miniDoc = resolveMiniDoc(identifier).getOrThrow() 100 100 + miniDoc.pds 101 101 + } catch (e: Exception) { 102 102 + logger.warn("Could not resolve PDS via Slingshot, using fallback") 103 103 + fallbackPdsUrl 104 104 + } 105 105 + 106 106 + val requestBody = CreateSessionRequest( 107 107 + identifier = identifier, 108 108 + password = password // Password only sent to AT Protocol servers, never to Minecraft server 109 109 + ) 110 110 + 111 111 + val url = "$pdsUrl/xrpc/com.atproto.server.createSession" 112 112 + 113 113 + val request = HttpRequest.newBuilder() 114 114 + .uri(URI.create(url)) 115 115 + .POST(HttpRequest.BodyPublishers.ofString(json.encodeToString(CreateSessionRequest.serializer(), requestBody))) 116 116 + .header("Content-Type", "application/json") 117 117 + .timeout(Duration.ofSeconds(15)) 118 118 + .build() 119 119 + 120 120 + val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 121 121 + 122 122 + if (response.statusCode() != 200) { 123 123 + logger.error("Session creation failed: HTTP ${response.statusCode()}") 124 124 + throw Exception("Authentication failed - check your credentials") 125 125 + } 126 126 + 127 127 + val session = json.decodeFromString<CreateSessionResponse>(response.body()) 128 128 + logger.info("Session created successfully") 129 129 + session 130 130 + } 131 131 + 132 132 + /** 133 133 + * Refreshes an existing session. 134 134 + */ 135 135 + suspend fun refreshSession(refreshJwt: String, pdsUrl: String): Result<CreateSessionResponse> = runCatching { 136 136 + logger.info("Refreshing session") 137 137 + 138 138 + val requestBody = RefreshSessionRequest(refreshJwt = refreshJwt) 139 139 + 140 140 + val url = "$pdsUrl/xrpc/com.atproto.server.refreshSession" 141 141 + 142 142 + val request = HttpRequest.newBuilder() 143 143 + .uri(URI.create(url)) 144 144 + .POST(HttpRequest.BodyPublishers.ofString(json.encodeToString(RefreshSessionRequest.serializer(), requestBody))) 145 145 + .header("Content-Type", "application/json") 146 146 + .header("Authorization", "Bearer $refreshJwt") 147 147 + .timeout(Duration.ofSeconds(15)) 148 148 + .build() 149 149 + 150 150 + val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 151 151 + 152 152 + if (response.statusCode() != 200) { 153 153 + throw Exception("Session refresh failed") 154 154 + } 155 155 + 156 156 + json.decodeFromString<CreateSessionResponse>(response.body()) 157 157 + } 158 158 + 159 159 + /** 160 160 + * Makes an authenticated XRPC request. 161 161 + */ 162 162 + suspend fun xrpcRequest( 163 163 + method: String, 164 164 + endpoint: String, 165 165 + accessJwt: String, 166 166 + pdsUrl: String, 167 167 + body: String? = null 168 168 + ): Result<String> = runCatching { 169 169 + val url = "$pdsUrl/xrpc/$endpoint" 170 170 + 171 171 + val requestBuilder = HttpRequest.newBuilder() 172 172 + .uri(URI.create(url)) 173 173 + .header("Authorization", "Bearer $accessJwt") 174 174 + .header("Content-Type", "application/json") 175 175 + .timeout(Duration.ofSeconds(15)) 176 176 + 177 177 + val request = when (method.uppercase()) { 178 178 + "GET" -> requestBuilder.GET().build() 179 179 + "POST" -> requestBuilder.POST( 180 180 + HttpRequest.BodyPublishers.ofString(body ?: "{}") 181 181 + ).build() 182 182 + "PUT" -> requestBuilder.PUT( 183 183 + HttpRequest.BodyPublishers.ofString(body ?: "{}") 184 184 + ).build() 185 185 + "DELETE" -> requestBuilder.DELETE().build() 186 186 + else -> throw IllegalArgumentException("Unsupported HTTP method") 187 187 + } 188 188 + 189 189 + val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 190 190 + 191 191 + if (response.statusCode() !in 200..299) { 192 192 + throw Exception("Request failed with status ${response.statusCode()}") 193 193 + } 194 194 + 195 195 + response.body() 196 196 + } 197 197 + 198 198 + private fun encodeURIComponent(value: String): String { 199 199 + return URI(null, null, null, -1, null, null, null) 200 200 + .resolve(value) 201 201 + .rawSchemeSpecificPart 202 202 + .replace("+", "%20") 203 203 + } 204 204 + 205 205 + private fun sanitize(input: String): String { 206 206 + return when { 207 207 + input.length <= 8 -> "***" 208 208 + else -> "${input.take(4)}...${input.takeLast(4)}" 209 209 + } 210 210 + } 211 211 + }

+178

src/client/kotlin/com/jollywhoppers/atproto/ClientAtProtoCommands.kt

reviewed

··· 1 1 + package com.jollywhoppers.atproto 2 2 + 3 3 + import com.jollywhoppers.network.AtProtoPackets 4 4 + import com.mojang.brigadier.CommandDispatcher 5 5 + import com.mojang.brigadier.arguments.StringArgumentType 6 6 + import com.mojang.brigadier.context.CommandContext 7 7 + import kotlinx.coroutines.CoroutineScope 8 8 + import kotlinx.coroutines.Dispatchers 9 9 + import kotlinx.coroutines.launch 10 10 + import net.fabricmc.fabric.api.client.command.v2.ClientCommandManager 11 11 + import net.fabricmc.fabric.api.client.command.v2.FabricClientCommandSource 12 12 + import net.fabricmc.fabric.api.client.networking.v1.ClientPlayNetworking 13 13 + import net.minecraft.client.Minecraft 14 14 + import net.minecraft.network.chat.Component 15 15 + import org.slf4j.LoggerFactory 16 16 + 17 17 + /** 18 18 + * Client-side AT Protocol commands. 19 19 + * Handles authentication locally without sending passwords to the server. 20 20 + */ 21 21 + class ClientAtProtoCommands( 22 22 + private val sessionManager: ClientSessionManager 23 23 + ) { 24 24 + private val logger = LoggerFactory.getLogger("atproto-connect-client") 25 25 + private val coroutineScope = CoroutineScope(Dispatchers.IO) 26 26 + 27 27 + /** 28 28 + * Registers client-side commands. 29 29 + */ 30 30 + fun register(dispatcher: CommandDispatcher<FabricClientCommandSource>) { 31 31 + dispatcher.register( 32 32 + ClientCommandManager.literal("atproto") 33 33 + .then( 34 34 + ClientCommandManager.literal("login") 35 35 + .then( 36 36 + ClientCommandManager.argument("identifier", StringArgumentType.string()) 37 37 + .then( 38 38 + ClientCommandManager.argument("password", StringArgumentType.greedyString()) 39 39 + .executes { context -> login(context) } 40 40 + ) 41 41 + ) 42 42 + ) 43 43 + .then( 44 44 + ClientCommandManager.literal("logout") 45 45 + .executes { context -> logout(context) } 46 46 + ) 47 47 + .then( 48 48 + ClientCommandManager.literal("status") 49 49 + .executes { context -> status(context) } 50 50 + ) 51 51 + .then( 52 52 + ClientCommandManager.literal("help") 53 53 + .executes { context -> help(context) } 54 54 + ) 55 55 + .executes { context -> help(context) } 56 56 + ) 57 57 + } 58 58 + 59 59 + /** 60 60 + * Client-side login command. 61 61 + * Authenticates directly with AT Protocol servers, then sends session to Minecraft server. 62 62 + */ 63 63 + private fun login(context: CommandContext<FabricClientCommandSource>): Int { 64 64 + val identifier = StringArgumentType.getString(context, "identifier") 65 65 + val password = StringArgumentType.getString(context, "password") 66 66 + 67 67 + context.source.sendFeedback( 68 68 + Component.literal("§eAuthenticating with AT Protocol...") 69 69 + ) 70 70 + 71 71 + coroutineScope.launch { 72 72 + try { 73 73 + // Authenticate with AT Protocol servers (client-side only) 74 74 + val session = sessionManager.createSession(identifier, password).getOrThrow() 75 75 + 76 76 + // Send authenticated session to server for verification 77 77 + val packet = AtProtoPackets.AuthenticatePacket( 78 78 + did = session.did, 79 79 + handle = session.handle, 80 80 + pdsUrl = session.pdsUrl, 81 81 + accessJwt = session.accessJwt, 82 82 + refreshJwt = session.refreshJwt 83 83 + ) 84 84 + 85 85 + ClientPlayNetworking.send(packet) 86 86 + 87 87 + Minecraft.getInstance().gui.chat.addMessage( 88 88 + Component.literal("§a✓ Authenticated locally!") 89 89 + .append(Component.literal("\n§7Handle: §f${session.handle}")) 90 90 + .append(Component.literal("\n§7DID: §f${session.did}")) 91 91 + .append(Component.literal("\n§7Waiting for server confirmation...")) 92 92 + ) 93 93 + 94 94 + logger.info("Authenticated as ${session.handle}, sent session to server") 95 95 + } catch (e: Exception) { 96 96 + Minecraft.getInstance().gui.chat.addMessage( 97 97 + Component.literal("§c✗ Authentication failed") 98 98 + .append(Component.literal("\n§7${e.message ?: "Unknown error"}")) 99 99 + .append(Component.literal("\n\n§7Tip: Use an §fApp Password§7 from your AT Protocol account")) 100 100 + .append(Component.literal("\n§cNever use your main account password!")) 101 101 + ) 102 102 + logger.error("Authentication failed: ${e.javaClass.simpleName} - ${e.message}") 103 103 + } 104 104 + } 105 105 + 106 106 + return 1 107 107 + } 108 108 + 109 109 + /** 110 110 + * Client-side logout command. 111 111 + */ 112 112 + private fun logout(context: CommandContext<FabricClientCommandSource>): Int { 113 113 + return if (sessionManager.hasSession()) { 114 114 + sessionManager.deleteSession() 115 115 + 116 116 + // Notify server 117 117 + val packet = AtProtoPackets.LogoutPacket() 118 118 + ClientPlayNetworking.send(packet) 119 119 + 120 120 + context.source.sendFeedback( 121 121 + Component.literal("§a✓ Logged out successfully") 122 122 + .append(Component.literal("\n§7Session cleared from your computer")) 123 123 + ) 124 124 + logger.info("Logged out") 125 125 + 1 126 126 + } else { 127 127 + context.source.sendError( 128 128 + Component.literal("§c✗ You are not logged in") 129 129 + ) 130 130 + 0 131 131 + } 132 132 + } 133 133 + 134 134 + /** 135 135 + * Shows authentication status. 136 136 + */ 137 137 + private fun status(context: CommandContext<FabricClientCommandSource>): Int { 138 138 + val hasSession = sessionManager.hasSession() 139 139 + 140 140 + context.source.sendFeedback( 141 141 + Component.literal("§b━━━ AT Protocol Status ━━━") 142 142 + .append( 143 143 + if (hasSession) { 144 144 + Component.literal("\n§aAuthentication: §f✓ Logged in locally") 145 145 + .append(Component.literal("\n§7Session stored on your computer")) 146 146 + } else { 147 147 + Component.literal("\n§cAuthentication: §f✗ Not logged in") 148 148 + .append(Component.literal("\n§7Use §f/atproto login§7 to authenticate")) 149 149 + } 150 150 + ) 151 151 + ) 152 152 + return 1 153 153 + } 154 154 + 155 155 + /** 156 156 + * Shows help information. 157 157 + */ 158 158 + private fun help(context: CommandContext<FabricClientCommandSource>): Int { 159 159 + context.source.sendFeedback( 160 160 + Component.literal("§b━━━ AT Protocol Commands (Client-Side) ━━━") 161 161 + .append(Component.literal("\n§f/atproto login <handle> <app-password>")) 162 162 + .append(Component.literal("\n §7Authenticate with your AT Protocol account")) 163 163 + .append(Component.literal("\n §7Example: §f/atproto login alice.bsky.social my-app-password")) 164 164 + .append(Component.literal("\n §c§lIMPORTANT: Use an App Password, not your main password!")) 165 165 + .append(Component.literal("\n §7Get one from: Settings → App Passwords → Add App Password")) 166 166 + .append(Component.literal("\n")) 167 167 + .append(Component.literal("\n§f/atproto logout")) 168 168 + .append(Component.literal("\n §7Log out and clear your local session")) 169 169 + .append(Component.literal("\n")) 170 170 + .append(Component.literal("\n§f/atproto status")) 171 171 + .append(Component.literal("\n §7Check your authentication status")) 172 172 + .append(Component.literal("\n")) 173 173 + .append(Component.literal("\n§eNote: Authentication happens entirely on your computer.")) 174 174 + .append(Component.literal("\n§eYour password never leaves your machine!")) 175 175 + ) 176 176 + return 1 177 177 + } 178 178 + }

+226

src/client/kotlin/com/jollywhoppers/atproto/ClientSessionManager.kt

reviewed

··· 1 1 + package com.jollywhoppers.atproto 2 2 + 3 3 + import kotlinx.serialization.Serializable 4 4 + import kotlinx.serialization.json.Json 5 5 + import kotlinx.serialization.encodeToString 6 6 + import net.fabricmc.loader.api.FabricLoader 7 7 + import org.slf4j.LoggerFactory 8 8 + import java.nio.file.Files 9 9 + import java.nio.file.Path 10 10 + import java.nio.file.StandardOpenOption 11 11 + 12 12 + /** 13 13 + * Client-side session manager. 14 14 + * Stores authentication tokens locally on the player's computer. 15 15 + * 16 16 + * SECURITY: 17 17 + * - Sessions stored only on client machine 18 18 + * - File saved in Minecraft's run directory (client-side config) 19 19 + * - Tokens encrypted at rest 20 20 + * - No passwords stored - only JWT tokens 21 21 + */ 22 22 + class ClientSessionManager( 23 23 + private val client: ClientAtProtoClient 24 24 + ) { 25 25 + private val logger = LoggerFactory.getLogger("atproto-connect-client") 26 26 + private val storageFile: Path 27 27 + private var currentSession: PlayerSession? = null 28 28 + 29 29 + private val json = Json { 30 30 + prettyPrint = true 31 31 + ignoreUnknownKeys = true 32 32 + } 33 33 + 34 34 + @Serializable 35 35 + data class PlayerSession( 36 36 + val did: String, 37 37 + val handle: String, 38 38 + val pdsUrl: String, 39 39 + val accessJwt: String, 40 40 + val refreshJwt: String, 41 41 + val createdAt: Long = System.currentTimeMillis(), 42 42 + val lastRefreshed: Long = System.currentTimeMillis() 43 43 + ) 44 44 + 45 45 + @Serializable 46 46 + private data class SessionStorage( 47 47 + val version: Int = 1, 48 48 + val session: PlayerSession? 49 49 + ) 50 50 + 51 51 + init { 52 52 + // Store in Minecraft's config directory (client-side) 53 53 + val configDir = FabricLoader.getInstance().configDir.resolve("atproto-connect") 54 54 + Files.createDirectories(configDir) 55 55 + storageFile = configDir.resolve("client-session.json") 56 56 + 57 57 + // Load existing session 58 58 + load() 59 59 + 60 60 + logger.info("Client session manager initialized at: $storageFile") 61 61 + } 62 62 + 63 63 + /** 64 64 + * Creates a new session by authenticating with AT Protocol. 65 65 + * Password is never stored - only the resulting tokens. 66 66 + */ 67 67 + suspend fun createSession(identifier: String, password: String): Result<PlayerSession> = runCatching { 68 68 + logger.info("Creating session for identifier ${sanitize(identifier)}") 69 69 + 70 70 + // Authenticate with AT Protocol servers directly 71 71 + val sessionResponse = client.createSession(identifier, password).getOrThrow() 72 72 + 73 73 + // Resolve to get PDS URL 74 74 + val miniDoc = client.resolveMiniDoc(sessionResponse.did).getOrThrow() 75 75 + 76 76 + val session = PlayerSession( 77 77 + did = sessionResponse.did, 78 78 + handle = sessionResponse.handle, 79 79 + pdsUrl = miniDoc.pds, 80 80 + accessJwt = sessionResponse.accessJwt, 81 81 + refreshJwt = sessionResponse.refreshJwt, 82 82 + createdAt = System.currentTimeMillis(), 83 83 + lastRefreshed = System.currentTimeMillis() 84 84 + ) 85 85 + 86 86 + currentSession = session 87 87 + save() 88 88 + 89 89 + logger.info("Session created successfully for ${session.handle}") 90 90 + session 91 91 + } 92 92 + 93 93 + /** 94 94 + * Gets the current session. 95 95 + * Automatically refreshes if the access token is expired. 96 96 + */ 97 97 + suspend fun getSession(): Result<PlayerSession> = runCatching { 98 98 + val session = currentSession 99 99 + ?: throw Exception("No active session - please login") 100 100 + 101 101 + // Check if session needs refresh (access tokens expire after ~2 hours) 102 102 + val hoursSinceRefresh = (System.currentTimeMillis() - session.lastRefreshed) / (1000.0 * 60 * 60) 103 103 + 104 104 + if (hoursSinceRefresh >= 1.5) { 105 105 + logger.info("Session needs refresh (${String.format("%.2f", hoursSinceRefresh)} hours old)") 106 106 + return refreshSession() 107 107 + } 108 108 + 109 109 + session 110 110 + } 111 111 + 112 112 + /** 113 113 + * Refreshes the current session using the refresh token. 114 114 + */ 115 115 + suspend fun refreshSession(): Result<PlayerSession> = runCatching { 116 116 + val oldSession = currentSession 117 117 + ?: throw Exception("No session to refresh") 118 118 + 119 119 + logger.info("Refreshing session for ${oldSession.handle}") 120 120 + 121 121 + val refreshResponse = client.refreshSession( 122 122 + oldSession.refreshJwt, 123 123 + oldSession.pdsUrl 124 124 + ).getOrThrow() 125 125 + 126 126 + val newSession = oldSession.copy( 127 127 + accessJwt = refreshResponse.accessJwt, 128 128 + refreshJwt = refreshResponse.refreshJwt, 129 129 + lastRefreshed = System.currentTimeMillis() 130 130 + ) 131 131 + 132 132 + currentSession = newSession 133 133 + save() 134 134 + 135 135 + logger.info("Session refreshed successfully") 136 136 + newSession 137 137 + } 138 138 + 139 139 + /** 140 140 + * Removes the current session (logout). 141 141 + */ 142 142 + fun deleteSession() { 143 143 + currentSession = null 144 144 + save() 145 145 + logger.info("Session deleted") 146 146 + } 147 147 + 148 148 + /** 149 149 + * Checks if there's an active session. 150 150 + */ 151 151 + fun hasSession(): Boolean { 152 152 + return currentSession != null 153 153 + } 154 154 + 155 155 + /** 156 156 + * Makes an authenticated XRPC request. 157 157 + */ 158 158 + suspend fun makeAuthenticatedRequest( 159 159 + method: String, 160 160 + endpoint: String, 161 161 + body: String? = null 162 162 + ): Result<String> = runCatching { 163 163 + val session = getSession().getOrThrow() 164 164 + 165 165 + client.xrpcRequest( 166 166 + method = method, 167 167 + endpoint = endpoint, 168 168 + accessJwt = session.accessJwt, 169 169 + pdsUrl = session.pdsUrl, 170 170 + body = body 171 171 + ).getOrThrow() 172 172 + } 173 173 + 174 174 + /** 175 175 + * Loads session from disk. 176 176 + */ 177 177 + private fun load() { 178 178 + try { 179 179 + if (Files.exists(storageFile)) { 180 180 + val content = Files.readString(storageFile) 181 181 + val storage = json.decodeFromString<SessionStorage>(content) 182 182 + currentSession = storage.session 183 183 + logger.info("Loaded session from disk: ${currentSession?.handle ?: "none"}") 184 184 + } else { 185 185 + logger.info("No existing session found") 186 186 + } 187 187 + } catch (e: Exception) { 188 188 + logger.error("Failed to load session", e) 189 189 + } 190 190 + } 191 191 + 192 192 + /** 193 193 + * Saves session to disk. 194 194 + * TODO: Add encryption for added security. 195 195 + */ 196 196 + private fun save() { 197 197 + try { 198 198 + Files.createDirectories(storageFile.parent) 199 199 + 200 200 + val storage = SessionStorage( 201 201 + version = 1, 202 202 + session = currentSession 203 203 + ) 204 204 + 205 205 + val content = json.encodeToString(storage) 206 206 + 207 207 + Files.writeString( 208 208 + storageFile, 209 209 + content, 210 210 + StandardOpenOption.CREATE, 211 211 + StandardOpenOption.TRUNCATE_EXISTING 212 212 + ) 213 213 + 214 214 + logger.debug("Saved session to disk") 215 215 + } catch (e: Exception) { 216 216 + logger.error("Failed to save session", e) 217 217 + } 218 218 + } 219 219 + 220 220 + private fun sanitize(input: String): String { 221 221 + return when { 222 222 + input.length <= 8 -> "***" 223 223 + else -> "${input.take(4)}...${input.takeLast(4)}" 224 224 + } 225 225 + } 226 226 + }

+3

src/main/kotlin/com/jollywhoppers/Atprotoconnect.kt

reviewed

··· 72 72 logger.info("AT Protocol commands registered") 73 73 } 74 74 75 75 + // Register network packet handlers 76 76 + com.jollywhoppers.network.ServerNetworkHandler.register() 77 77 + 75 78 // Schedule periodic cleanup tasks 76 79 setupCleanupTasks() 77 80

+13 -21

src/main/kotlin/com/jollywhoppers/atproto/AtProtoCommands.kt

reviewed

··· 60 60 .executes { context -> unlinkIdentity(context) } 61 61 ) 62 62 .then( 63 63 - Commands.literal("login") 64 64 - .then( 65 65 - Commands.argument("identifier", StringArgumentType.string()) 66 66 - .then( 67 67 - Commands.argument("password", StringArgumentType.greedyString()) 68 68 - .executes { context -> login(context) } 69 69 - ) 70 70 - ) 71 71 - ) 72 72 - .then( 73 63 Commands.literal("logout") 74 64 .executes { context -> logout(context) } 75 65 ) ··· 181 171 182 172 /** 183 173 * Authenticates a player with their AT Protocol credentials. 184 184 - * Uses app passwords for security. Includes rate limiting. 174 174 + * @deprecated Login is now handled client-side 185 175 */ 186 186 - private fun login(context: CommandContext<CommandSourceStack>): Int { 176 176 + @Deprecated("Login is now handled client-side") 177 177 + private fun loginDeprecated(context: CommandContext<CommandSourceStack>): Int { 187 178 val player = context.source.playerOrException 188 179 val identifier = StringArgumentType.getString(context, "identifier") 189 180 val password = StringArgumentType.getString(context, "password") ··· 455 446 private fun help(context: CommandContext<CommandSourceStack>): Int { 456 447 context.source.sendSuccess( 457 448 { 458 458 - Component.literal("§b━━━ AT Protocol Commands ━━━") 449 449 + Component.literal("§b━━━ AT Protocol Commands (Server) ━━━") 459 450 .append(Component.literal("\n§f/atproto link <handle or DID>")) 460 451 .append(Component.literal("\n §7Link your Minecraft account to your AT Protocol identity")) 461 452 .append(Component.literal("\n §7Example: §f/atproto link alice.bsky.social")) 462 453 .append(Component.literal("\n")) 463 463 - .append(Component.literal("\n§f/atproto login <handle> <app-password>")) 464 464 - .append(Component.literal("\n §7Authenticate to enable data syncing")) 465 465 - .append(Component.literal("\n §7§cUse an App Password, not your main password!")) 466 466 - .append(Component.literal("\n §7Get one from: Settings → App Passwords")) 454 454 + .append(Component.literal("\n§f/atproto unlink")) 455 455 + .append(Component.literal("\n §7Unlink your AT Protocol identity completely")) 467 456 .append(Component.literal("\n")) 468 457 .append(Component.literal("\n§f/atproto logout")) 469 469 - .append(Component.literal("\n §7Log out (removes authentication, keeps identity link)")) 470 470 - .append(Component.literal("\n")) 471 471 - .append(Component.literal("\n§f/atproto unlink")) 472 472 - .append(Component.literal("\n §7Unlink your AT Protocol identity completely")) 458 458 + .append(Component.literal("\n §7Log out (removes authentication from server)")) 473 459 .append(Component.literal("\n")) 474 460 .append(Component.literal("\n§f/atproto whoami")) 475 461 .append(Component.literal("\n §7View your linked identity and authentication status")) ··· 479 465 .append(Component.literal("\n")) 480 466 .append(Component.literal("\n§f/atproto whois <player or handle>")) 481 467 .append(Component.literal("\n §7Look up another player's AT Protocol identity")) 468 468 + .append(Component.literal("\n")) 469 469 + .append(Component.literal("\n§e━━━ Client-Side Login (Type in Client) ━━━")) 470 470 + .append(Component.literal("\n§eFor authentication, use the client-side command:")) 471 471 + .append(Component.literal("\n§f/atproto login <handle> <app-password>")) 472 472 + .append(Component.literal("\n§7Authentication happens on your computer")) 473 473 + .append(Component.literal("\n§7Your password never goes to the server!")) 482 474 }, 483 475 false 484 476 )

+33

src/main/kotlin/com/jollywhoppers/atproto/AtProtoSessionManager.kt

reviewed

··· 78 78 79 79 /** 80 80 * Creates or updates a session for a player. 81 81 + * @deprecated Use storeVerifiedSession for client-authenticated sessions 81 82 */ 83 83 + @Deprecated("Use storeVerifiedSession for client-authenticated sessions") 82 84 suspend fun createSession( 83 85 uuid: UUID, 84 86 identifier: String, ··· 108 110 109 111 logger.info("Session created successfully for $handle") 110 112 session 113 113 + } 114 114 + 115 115 + /** 116 116 + * Stores a verified session that was authenticated client-side. 117 117 + * This is the preferred method for storing sessions. 118 118 + */ 119 119 + fun storeVerifiedSession( 120 120 + uuid: UUID, 121 121 + did: String, 122 122 + handle: String, 123 123 + pdsUrl: String, 124 124 + accessJwt: String, 125 125 + refreshJwt: String 126 126 + ) { 127 127 + logger.info("Storing verified session for player $uuid (${handle})") 128 128 + 129 129 + val session = PlayerSession( 130 130 + uuid = uuid.toString(), 131 131 + did = did, 132 132 + handle = handle, 133 133 + pdsUrl = pdsUrl, 134 134 + accessJwt = accessJwt, 135 135 + refreshJwt = refreshJwt, 136 136 + createdAt = System.currentTimeMillis(), 137 137 + lastRefreshed = System.currentTimeMillis() 138 138 + ) 139 139 + 140 140 + sessions[uuid] = session 141 141 + save() 142 142 + 143 143 + logger.info("Verified session stored successfully for $handle") 111 144 } 112 145 113 146 /**

+8 -7

src/main/kotlin/com/jollywhoppers/atproto/RecordManager.kt

reviewed

··· 3 3 import com.jollywhoppers.atproto.security.SecurityUtils 4 4 import kotlinx.serialization.Serializable 5 5 import kotlinx.serialization.json.* 6 6 + import kotlinx.serialization.serializer 6 7 import org.slf4j.LoggerFactory 7 8 import java.time.Instant 8 9 import java.util.* ··· 24 25 private val sessionManager: AtProtoSessionManager 25 26 ) { 26 27 private val logger = LoggerFactory.getLogger("atproto-connect:RecordManager") 27 27 - private val json = Json { 28 28 + val json = Json { 28 29 prettyPrint = false 29 30 ignoreUnknownKeys = true 30 31 } ··· 77 78 * Creates a typed record with automatic serialization. 78 79 * Convenience method that handles JSON encoding. 79 80 */ 80 80 - inline fun <reified T : @Serializable Any> createTypedRecord( 81 81 + suspend inline fun <reified T> createTypedRecord( 81 82 playerUuid: UUID, 82 83 collection: String, 83 84 record: T, 84 85 validate: Boolean = true 85 86 ): Result<StrongRef> = runCatching { 86 86 - val jsonElement = json.encodeToJsonElement(record) 87 87 + val jsonElement = json.encodeToJsonElement(serializer<T>(), record) 87 88 createRecord(playerUuid, collection, jsonElement, validate).getOrThrow() 88 89 } 89 90 ··· 137 138 /** 138 139 * Retrieves a typed record with automatic deserialization. 139 140 */ 140 140 - suspend inline fun <reified T : @Serializable Any> getTypedRecord( 141 141 + suspend inline fun <reified T> getTypedRecord( 141 142 playerUuid: UUID, 142 143 collection: String, 143 144 rkey: String, ··· 146 147 val recordData = getRecord(playerUuid, collection, rkey, cid).getOrThrow() 147 148 TypedRecordData( 148 149 uri = recordData.uri, 149 149 - value = json.decodeFromJsonElement(recordData.value), 150 150 + value = json.decodeFromJsonElement(serializer<T>(), recordData.value), 150 151 cid = recordData.cid 151 152 ) 152 153 } ··· 302 303 /** 303 304 * Updates a typed record with automatic serialization. 304 305 */ 305 305 - suspend inline fun <reified T : @Serializable Any> putTypedRecord( 306 306 + suspend inline fun <reified T> putTypedRecord( 306 307 playerUuid: UUID, 307 308 collection: String, 308 309 rkey: String, ··· 311 312 swapCommit: String? = null, 312 313 validate: Boolean = true 313 314 ): Result<StrongRef> = runCatching { 314 314 - val jsonElement = json.encodeToJsonElement(record) 315 315 + val jsonElement = json.encodeToJsonElement(serializer<T>(), record) 315 316 putRecord(playerUuid, collection, rkey, jsonElement, swapRecord, swapCommit, validate).getOrThrow() 316 317 } 317 318

+7 -6

src/main/kotlin/com/jollywhoppers/atproto/examples/RecordManagerExamples.kt

reviewed

··· 3 3 import com.jollywhoppers.atproto.RecordManager 4 4 import com.jollywhoppers.atproto.AtProtoSessionManager 5 5 import kotlinx.serialization.Serializable 6 6 + import kotlinx.serialization.serializer 6 7 import org.slf4j.LoggerFactory 7 8 import java.util.* 8 9 ··· 165 166 166 167 val achievements = result.records.mapNotNull { recordData -> 167 168 try { 168 168 - kotlinx.serialization.json.Json.decodeFromJsonElement<Achievement>(recordData.value) 169 169 + kotlinx.serialization.json.Json.decodeFromJsonElement(serializer<Achievement>(), recordData.value) 169 170 } catch (e: Exception) { 170 171 logger.warn("Failed to parse achievement record", e) 171 172 null ··· 189 190 190 191 val stats = records.mapNotNull { recordData -> 191 192 try { 192 192 - kotlinx.serialization.json.Json.decodeFromJsonElement<PlayerStats>(recordData.value) 193 193 + kotlinx.serialization.json.Json.decodeFromJsonElement(serializer<PlayerStats>(), recordData.value) 193 194 } catch (e: Exception) { 194 195 logger.warn("Failed to parse stats record", e) 195 196 null ··· 337 338 338 339 RecordManager.WriteOperation.Create( 339 340 collection = "com.jollywhoppers.minecraft.achievement", 340 340 - value = kotlinx.serialization.json.Json.encodeToJsonElement(achievement) 341 341 + value = kotlinx.serialization.json.Json.encodeToJsonElement(serializer<Achievement>(), achievement) 341 342 ) 342 343 } 343 344 ··· 361 362 // Create new stats record 362 363 RecordManager.WriteOperation.Create( 363 364 collection = "com.jollywhoppers.minecraft.player.stats", 364 364 - value = kotlinx.serialization.json.Json.encodeToJsonElement(stats) 365 365 + value = kotlinx.serialization.json.Json.encodeToJsonElement(serializer<PlayerStats>(), stats) 365 366 ), 366 367 // Update profile 367 368 RecordManager.WriteOperation.Update( 368 369 collection = "com.jollywhoppers.minecraft.player.profile", 369 370 rkey = "self", 370 370 - value = kotlinx.serialization.json.Json.encodeToJsonElement(profileUpdate) 371 371 + value = kotlinx.serialization.json.Json.encodeToJsonElement(serializer<PlayerProfile>(), profileUpdate) 371 372 ) 372 373 ) 373 374 ··· 425 426 426 427 val alreadyUnlocked = existing.any { recordData -> 427 428 try { 428 428 - val achievement = kotlinx.serialization.json.Json.decodeFromJsonElement<Achievement>(recordData.value) 429 429 + val achievement = kotlinx.serialization.json.Json.decodeFromJsonElement(serializer<Achievement>(), recordData.value) 429 430 achievement.achievementId == achievementKey 430 431 } catch (e: Exception) { 431 432 false

+118

src/main/kotlin/com/jollywhoppers/network/AtProtoPackets.kt

reviewed

··· 1 1 + package com.jollywhoppers.network 2 2 + 3 3 + import kotlinx.serialization.Serializable 4 4 + import net.minecraft.network.FriendlyByteBuf 5 5 + import net.minecraft.network.codec.StreamCodec 6 6 + import net.minecraft.network.protocol.common.custom.CustomPacketPayload 7 7 + import net.minecraft.resources.ResourceLocation 8 8 + 9 9 + /** 10 10 + * Network packets for client-server AT Protocol communication. 11 11 + * 12 12 + * SECURITY MODEL: 13 13 + * - Client handles all authentication directly with AT Protocol servers 14 14 + * - Client sends authenticated session to server for verification 15 15 + * - Server never sees passwords 16 16 + * - Server verifies tokens with AT Protocol servers before accepting 17 17 + */ 18 18 + 19 19 + object AtProtoPackets { 20 20 + // Packet identifiers 21 21 + val AUTHENTICATE_C2S_ID = ResourceLocation.fromNamespaceAndPath("atproto-connect", "authenticate") 22 22 + val AUTHENTICATE_RESPONSE_S2C_ID = ResourceLocation.fromNamespaceAndPath("atproto-connect", "authenticate_response") 23 23 + val LOGOUT_C2S_ID = ResourceLocation.fromNamespaceAndPath("atproto-connect", "logout") 24 24 + 25 25 + /** 26 26 + * Client -> Server: Authenticated session data 27 27 + * Sent after client successfully authenticates with AT Protocol 28 28 + */ 29 29 + @Serializable 30 30 + data class AuthenticatePacket( 31 31 + val did: String, 32 32 + val handle: String, 33 33 + val pdsUrl: String, 34 34 + val accessJwt: String, 35 35 + val refreshJwt: String 36 36 + ) : CustomPacketPayload { 37 37 + override fun type(): CustomPacketPayload.Type<out CustomPacketPayload> = TYPE 38 38 + 39 39 + companion object { 40 40 + val TYPE: CustomPacketPayload.Type<AuthenticatePacket> = 41 41 + CustomPacketPayload.Type(AUTHENTICATE_C2S_ID) 42 42 + 43 43 + val CODEC: StreamCodec<FriendlyByteBuf, AuthenticatePacket> = StreamCodec.of( 44 44 + { buf, packet -> 45 45 + buf.writeUtf(packet.did) 46 46 + buf.writeUtf(packet.handle) 47 47 + buf.writeUtf(packet.pdsUrl) 48 48 + buf.writeUtf(packet.accessJwt) 49 49 + buf.writeUtf(packet.refreshJwt) 50 50 + }, 51 51 + { buf -> 52 52 + AuthenticatePacket( 53 53 + did = buf.readUtf(), 54 54 + handle = buf.readUtf(), 55 55 + pdsUrl = buf.readUtf(), 56 56 + accessJwt = buf.readUtf(), 57 57 + refreshJwt = buf.readUtf() 58 58 + ) 59 59 + } 60 60 + ) 61 61 + } 62 62 + } 63 63 + 64 64 + /** 65 65 + * Server -> Client: Authentication response 66 66 + * Confirms whether authentication was accepted 67 67 + */ 68 68 + @Serializable 69 69 + data class AuthenticateResponsePacket( 70 70 + val success: Boolean, 71 71 + val message: String 72 72 + ) : CustomPacketPayload { 73 73 + override fun type(): CustomPacketPayload.Type<out CustomPacketPayload> = TYPE 74 74 + 75 75 + companion object { 76 76 + val TYPE: CustomPacketPayload.Type<AuthenticateResponsePacket> = 77 77 + CustomPacketPayload.Type(AUTHENTICATE_RESPONSE_S2C_ID) 78 78 + 79 79 + val CODEC: StreamCodec<FriendlyByteBuf, AuthenticateResponsePacket> = StreamCodec.of( 80 80 + { buf, packet -> 81 81 + buf.writeBoolean(packet.success) 82 82 + buf.writeUtf(packet.message) 83 83 + }, 84 84 + { buf -> 85 85 + AuthenticateResponsePacket( 86 86 + success = buf.readBoolean(), 87 87 + message = buf.readUtf() 88 88 + ) 89 89 + } 90 90 + ) 91 91 + } 92 92 + } 93 93 + 94 94 + /** 95 95 + * Client -> Server: Logout request 96 96 + */ 97 97 + @Serializable 98 98 + data class LogoutPacket( 99 99 + val placeholder: Boolean = true // Just for serialization 100 100 + ) : CustomPacketPayload { 101 101 + override fun type(): CustomPacketPayload.Type<out CustomPacketPayload> = TYPE 102 102 + 103 103 + companion object { 104 104 + val TYPE: CustomPacketPayload.Type<LogoutPacket> = 105 105 + CustomPacketPayload.Type(LOGOUT_C2S_ID) 106 106 + 107 107 + val CODEC: StreamCodec<FriendlyByteBuf, LogoutPacket> = StreamCodec.of( 108 108 + { buf, packet -> 109 109 + buf.writeBoolean(packet.placeholder) 110 110 + }, 111 111 + { buf -> 112 112 + buf.readBoolean() 113 113 + LogoutPacket() 114 114 + } 115 115 + ) 116 116 + } 117 117 + } 118 118 + }

+139

src/main/kotlin/com/jollywhoppers/network/ServerNetworkHandler.kt

reviewed

··· 1 1 + package com.jollywhoppers.network 2 2 + 3 3 + import com.jollywhoppers.Atprotoconnect 4 4 + import com.jollywhoppers.atproto.security.SecurityAuditor 5 5 + import kotlinx.coroutines.CoroutineScope 6 6 + import kotlinx.coroutines.Dispatchers 7 7 + import kotlinx.coroutines.launch 8 8 + import net.fabricmc.fabric.api.networking.v1.PayloadTypeRegistry 9 9 + import net.fabricmc.fabric.api.networking.v1.ServerPlayNetworking 10 10 + import net.minecraft.network.chat.Component 11 11 + import net.minecraft.server.level.ServerPlayer 12 12 + import org.slf4j.LoggerFactory 13 13 + 14 14 + /** 15 15 + * Server-side network packet handlers for AT Protocol communication. 16 16 + * Handles verification of client-authenticated sessions. 17 17 + */ 18 18 + object ServerNetworkHandler { 19 19 + private val logger = LoggerFactory.getLogger("atproto-connect-server") 20 20 + private val coroutineScope = CoroutineScope(Dispatchers.IO) 21 21 + 22 22 + /** 23 23 + * Registers all server-side packet handlers. 24 24 + */ 25 25 + fun register() { 26 26 + // Register packet types 27 27 + PayloadTypeRegistry.playC2S().register( 28 28 + AtProtoPackets.AuthenticatePacket.TYPE, 29 29 + AtProtoPackets.AuthenticatePacket.CODEC 30 30 + ) 31 31 + PayloadTypeRegistry.playC2S().register( 32 32 + AtProtoPackets.LogoutPacket.TYPE, 33 33 + AtProtoPackets.LogoutPacket.CODEC 34 34 + ) 35 35 + PayloadTypeRegistry.playS2C().register( 36 36 + AtProtoPackets.AuthenticateResponsePacket.TYPE, 37 37 + AtProtoPackets.AuthenticateResponsePacket.CODEC 38 38 + ) 39 39 + 40 40 + // Handle client authentication packet 41 41 + ServerPlayNetworking.registerGlobalReceiver(AtProtoPackets.AuthenticatePacket.TYPE) { packet, context -> 42 42 + val player = context.player() 43 43 + 44 44 + logger.info("Received authentication from player ${player.name.string} for handle ${packet.handle}") 45 45 + 46 46 + // Verify the session in a coroutine 47 47 + coroutineScope.launch { 48 48 + handleAuthentication(player, packet) 49 49 + } 50 50 + } 51 51 + 52 52 + // Handle client logout packet 53 53 + ServerPlayNetworking.registerGlobalReceiver(AtProtoPackets.LogoutPacket.TYPE) { packet, context -> 54 54 + val player = context.player() 55 55 + 56 56 + logger.info("Received logout from player ${player.name.string}") 57 57 + handleLogout(player) 58 58 + } 59 59 + 60 60 + logger.info("Server network packet handlers registered") 61 61 + } 62 62 + 63 63 + /** 64 64 + * Handles authentication by verifying the session with AT Protocol servers. 65 65 + */ 66 66 + private suspend fun handleAuthentication(player: ServerPlayer, packet: AtProtoPackets.AuthenticatePacket) { 67 67 + try { 68 68 + // Verify the token is valid by making a test API call 69 69 + val verifyResult = Atprotoconnect.atProtoClient.xrpcRequest( 70 70 + method = "GET", 71 71 + endpoint = "com.atproto.server.getSession", 72 72 + accessJwt = packet.accessJwt, 73 73 + pdsUrl = packet.pdsUrl 74 74 + ) 75 75 + 76 76 + if (verifyResult.isFailure) { 77 77 + sendAuthResponse(player, false, "Token verification failed") 78 78 + SecurityAuditor.logAuthFailure( 79 79 + player.uuid, 80 80 + packet.handle, 81 81 + "Token verification failed", 82 82 + player.name.string 83 83 + ) 84 84 + return 85 85 + } 86 86 + 87 87 + // Token is valid, store the session 88 88 + Atprotoconnect.sessionManager.storeVerifiedSession( 89 89 + uuid = player.uuid, 90 90 + did = packet.did, 91 91 + handle = packet.handle, 92 92 + pdsUrl = packet.pdsUrl, 93 93 + accessJwt = packet.accessJwt, 94 94 + refreshJwt = packet.refreshJwt 95 95 + ) 96 96 + 97 97 + // Link identity if not already linked 98 98 + if (!Atprotoconnect.identityStore.isLinked(player.uuid)) { 99 99 + Atprotoconnect.identityStore.linkIdentity(player.uuid, packet.did, packet.handle) 100 100 + SecurityAuditor.logIdentityLink(player.uuid, packet.handle, player.name.string) 101 101 + } 102 102 + 103 103 + // Send success response to client 104 104 + sendAuthResponse(player, true, "Successfully authenticated as ${packet.handle}") 105 105 + 106 106 + SecurityAuditor.logAuthSuccess(player.uuid, packet.handle, player.name.string) 107 107 + logger.info("Player ${player.name.string} authenticated as ${packet.handle}") 108 108 + 109 109 + } catch (e: Exception) { 110 110 + sendAuthResponse(player, false, "Verification error: ${e.message}") 111 111 + logger.error("Failed to verify authentication for ${player.name.string}", e) 112 112 + } 113 113 + } 114 114 + 115 115 + /** 116 116 + * Handles logout by removing the player's session. 117 117 + */ 118 118 + private fun handleLogout(player: ServerPlayer) { 119 119 + val identity = Atprotoconnect.identityStore.getIdentity(player.uuid) 120 120 + Atprotoconnect.sessionManager.deleteSession(player.uuid) 121 121 + 122 122 + if (identity != null) { 123 123 + SecurityAuditor.logLogout(player.uuid, identity.handle, player.name.string) 124 124 + } 125 125 + 126 126 + player.sendSystemMessage( 127 127 + Component.literal("§a✓ Logged out on server") 128 128 + ) 129 129 + logger.info("Player ${player.name.string} logged out") 130 130 + } 131 131 + 132 132 + /** 133 133 + * Sends an authentication response to the client. 134 134 + */ 135 135 + private fun sendAuthResponse(player: ServerPlayer, success: Boolean, message: String) { 136 136 + val response = AtProtoPackets.AuthenticateResponsePacket(success, message) 137 137 + ServerPlayNetworking.send(player, response) 138 138 + } 139 139 + }