lint fix

Update unsupported_project.md
Fix misuse of slug message.
2025-07-25 12:42:35 -07:00 · 2025-07-25 09:26:13 -08:00 · 2025-07-25 01:18:53 -07:00 · 2025-07-25 01:05:51 -07:00 · 2025-07-25 01:02:36 -07:00 · 2025-07-25 00:40:06 -07:00
39 changed files with 703 additions and 243 deletions
--- a/.github/workflows/daedalus-docker.yml
+++ b/.github/workflows/daedalus-docker.yml
@@ -22,23 +22,26 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
      - name: Fetch docker metadata
        id: docker_meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/modrinth/daedalus
      - name: Login to GitHub Images
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          file: ./apps/daedalus_client/Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
+          cache-from: type=registry,ref=ghcr.io/modrinth/daedalus:main
+          cache-to: type=inline
--- a/.github/workflows/labrinth-docker.yml
+++ b/.github/workflows/labrinth-docker.yml
@@ -20,23 +20,26 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
      - name: Fetch docker metadata
        id: docker_meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/modrinth/labrinth
      - name: Login to GitHub Images
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6
        with:
          file: ./apps/labrinth/Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
+          cache-from: type=registry,ref=ghcr.io/modrinth/labrinth:main
+          cache-to: type=inline
--- a/.github/workflows/turbo-ci.yml
+++ b/.github/workflows/turbo-ci.yml
@@ -52,7 +52,7 @@ jobs:
      # cargo-binstall does not have pre-built binaries for sqlx-cli, so we fall
      # back to a cached cargo install
      - name: 🧰 Setup cargo-sqlx
-        uses: AlexTMjugador/cache-cargo-install-action@feat/features-support
+        uses: taiki-e/cache-cargo-install-action@v2
        with:
          tool: sqlx-cli
          locked: false
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -8985,6 +8985,8 @@ dependencies = [
 "dashmap",
 "either",
 "enumset",
+ "hyper 1.6.0",
+ "hyper-util",
 "native-dialog",
 "paste",
 "serde",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -67,6 +67,7 @@ heck = "0.5.0"
 hex = "0.4.3"
 hickory-resolver = "0.25.2"
 hmac = "0.12.1"
+hyper = "1.6.0"
 hyper-rustls = { version = "0.27.7", default-features = false, features = [
  "http1",
  "native-tokio",
--- a/apps/app-frontend/src/App.vue
+++ b/apps/app-frontend/src/App.vue
@@ -61,9 +61,10 @@ import { renderString } from '@modrinth/utils'
 import { useFetch } from '@/helpers/fetch.js'
 import { check } from '@tauri-apps/plugin-updater'
 import NavButton from '@/components/ui/NavButton.vue'
-import { get as getCreds, login, logout } from '@/helpers/mr_auth.js'
+import { cancelLogin, get as getCreds, login, logout } from '@/helpers/mr_auth.js'
 import { get_user } from '@/helpers/cache.js'
 import AppSettingsModal from '@/components/ui/modal/AppSettingsModal.vue'
+import AuthGrantFlowWaitModal from '@/components/ui/modal/AuthGrantFlowWaitModal.vue'
 import PromotionWrapper from '@/components/ui/PromotionWrapper.vue'
 import { hide_ads_window, init_ads_window } from '@/helpers/ads.js'
 import FriendsList from '@/components/ui/friends/FriendsList.vue'
@@ -263,6 +264,8 @@ const incompatibilityWarningModal = ref()

 const credentials = ref()

+const modrinthLoginFlowWaitModal = ref()
+
 async function fetchCredentials() {
  const creds = await getCreds().catch(handleError)
  if (creds && creds.user_id) {
@@ -272,8 +275,24 @@ async function fetchCredentials() {
 }

 async function signIn() {
-  await login().catch(handleError)
-  await fetchCredentials()
+  modrinthLoginFlowWaitModal.value.show()
+
+  try {
+    await login()
+    await fetchCredentials()
+  } catch (error) {
+    if (
+      typeof error === 'object' &&
+      typeof error['message'] === 'string' &&
+      error.message.includes('Login canceled')
+    ) {
+      // Not really an error due to being a result of user interaction, show nothing
+    } else {
+      handleError(error)
+    }
+  } finally {
+    modrinthLoginFlowWaitModal.value.hide()
+  }
 }

 async function logOut() {
@@ -402,6 +421,9 @@ function handleAuxClick(e) {
    <Suspense>
      <AppSettingsModal ref="settingsModal" />
    </Suspense>
+    <Suspense>
+      <AuthGrantFlowWaitModal ref="modrinthLoginFlowWaitModal" @flow-cancel="cancelLogin" />
+    </Suspense>
    <Suspense>
      <InstanceCreationModal ref="installationModal" />
    </Suspense>
--- a/apps/app-frontend/src/components/ui/InstanceCreationModal.vue
+++ b/apps/app-frontend/src/components/ui/InstanceCreationModal.vue
@@ -305,12 +305,16 @@ const [
  get_game_versions().then(shallowRef).catch(handleError),
  get_loaders()
    .then((value) =>
-      value
-        .filter((item) => item.supported_project_types.includes('modpack'))
-        .map((item) => item.name.toLowerCase()),
+      ref(
+        value
+          .filter((item) => item.supported_project_types.includes('modpack'))
+          .map((item) => item.name.toLowerCase()),
+      ),
    )
-    .then(ref)
-    .catch(handleError),
+    .catch((err) => {
+      handleError(err)
+      return ref([])
+    }),
 ])
 loaders.value.unshift('vanilla')

--- a/apps/app-frontend/src/components/ui/modal/AuthGrantFlowWaitModal.vue
+++ b/apps/app-frontend/src/components/ui/modal/AuthGrantFlowWaitModal.vue
@@ -0,0 +1,42 @@
+<script setup lang="ts">
+import { LogInIcon, SpinnerIcon } from '@modrinth/assets'
+import { ref } from 'vue'
+import ModalWrapper from '@/components/ui/modal/ModalWrapper.vue'
+
+defineProps({
+  onFlowCancel: {
+    type: Function,
+    default() {
+      return async () => {}
+    },
+  },
+})
+
+const modal = ref()
+
+function show() {
+  modal.value.show()
+}
+
+function hide() {
+  modal.value.hide()
+}
+
+defineExpose({ show, hide })
+</script>
+<template>
+  <ModalWrapper ref="modal" @hide="onFlowCancel">
+    <template #title>
+      <span class="items-center gap-2 text-lg font-extrabold text-contrast">
+        <LogInIcon /> Sign in
+      </span>
+    </template>
+
+    <div class="flex justify-center gap-2">
+      <SpinnerIcon class="w-12 h-12 animate-spin" />
+    </div>
+    <p class="text-sm text-secondary">
+      Please sign in at the browser window that just opened to continue.
+    </p>
+  </ModalWrapper>
+</template>
--- a/apps/app-frontend/src/helpers/mr_auth.js
+++ b/apps/app-frontend/src/helpers/mr_auth.js
@@ -16,3 +16,7 @@ export async function logout() {
 export async function get() {
  return await invoke('plugin:mr-auth|get')
 }
+
+export async function cancelLogin() {
+  return await invoke('plugin:mr-auth|cancel_modrinth_login')
+}
--- a/apps/app-playground/src/main.rs
+++ b/apps/app-playground/src/main.rs
@@ -15,7 +15,7 @@ pub async fn authenticate_run() -> theseus::Result<Credentials> {
    println!("A browser window will now open, follow the login flow there.");
    let login = minecraft_auth::begin_login().await?;

-    println!("Open URL {} in a browser", login.redirect_uri.as_str());
+    println!("Open URL {} in a browser", login.auth_request_uri.as_str());

    println!("Please enter URL code: ");
    let mut input = String::new();
--- a/apps/app/Cargo.toml
+++ b/apps/app/Cargo.toml
@@ -31,6 +31,8 @@ thiserror.workspace = true
 daedalus.workspace = true
 chrono.workspace = true
 either.workspace = true
+hyper = { workspace = true, features = ["server"] }
+hyper-util.workspace = true

 url.workspace = true
 urlencoding.workspace = true
--- a/apps/app/build.rs
+++ b/apps/app/build.rs
@@ -120,7 +120,12 @@ fn main() {
            .plugin(
                "mr-auth",
                InlinedPlugin::new()
-                    .commands(&["modrinth_login", "logout", "get"])
+                    .commands(&[
+                        "modrinth_login",
+                        "logout",
+                        "get",
+                        "cancel_modrinth_login",
+                    ])
                    .default_permission(
                        DefaultPermissionRule::AllowAllCommands,
                    ),
--- a/apps/app/src/api/auth.rs
+++ b/apps/app/src/api/auth.rs
@@ -33,7 +33,7 @@ pub async fn login<R: Runtime>(
    let window = tauri::WebviewWindowBuilder::new(
        &app,
        "signin",
-        tauri::WebviewUrl::External(flow.redirect_uri.parse().map_err(
+        tauri::WebviewUrl::External(flow.auth_request_uri.parse().map_err(
            |_| {
                theseus::ErrorKind::OtherError(
                    "Error parsing auth redirect URL".to_string(),
@@ -77,6 +77,7 @@ pub async fn login<R: Runtime>(
    window.close()?;
    Ok(None)
 }
+
 #[tauri::command]
 pub async fn remove_user(user: uuid::Uuid) -> Result<()> {
    Ok(minecraft_auth::remove_user(user).await?)
--- a/apps/app/src/api/mod.rs
+++ b/apps/app/src/api/mod.rs
@@ -22,6 +22,8 @@ pub mod cache;
 pub mod friends;
 pub mod worlds;

+mod oauth_utils;
+
 pub type Result<T> = std::result::Result<T, TheseusSerializableError>;

 // // Main returnable Theseus GUI error
--- a/apps/app/src/api/mr_auth.rs
+++ b/apps/app/src/api/mr_auth.rs
@@ -1,79 +1,70 @@
 use crate::api::Result;
-use chrono::{Duration, Utc};
+use crate::api::TheseusSerializableError;
+use crate::api::oauth_utils;
+use tauri::Manager;
+use tauri::Runtime;
 use tauri::plugin::TauriPlugin;
-use tauri::{Manager, Runtime, UserAttentionType};
+use tauri_plugin_opener::OpenerExt;
 use theseus::prelude::*;
+use tokio::sync::oneshot;

 pub fn init<R: tauri::Runtime>() -> TauriPlugin<R> {
    tauri::plugin::Builder::new("mr-auth")
-        .invoke_handler(tauri::generate_handler![modrinth_login, logout, get,])
+        .invoke_handler(tauri::generate_handler![
+            modrinth_login,
+            logout,
+            get,
+            cancel_modrinth_login,
+        ])
        .build()
 }

 #[tauri::command]
 pub async fn modrinth_login<R: Runtime>(
    app: tauri::AppHandle<R>,
-) -> Result<Option<ModrinthCredentials>> {
-    let redirect_uri = mr_auth::authenticate_begin_flow();
+) -> Result<ModrinthCredentials> {
+    let (auth_code_recv_socket_tx, auth_code_recv_socket) = oneshot::channel();
+    let auth_code = tokio::spawn(oauth_utils::auth_code_reply::listen(
+        auth_code_recv_socket_tx,
+    ));

-    let start = Utc::now();
+    let auth_code_recv_socket = auth_code_recv_socket.await.unwrap()?;

-    if let Some(window) = app.get_webview_window("modrinth-signin") {
-        window.close()?;
-    }
+    let auth_request_uri = format!(
+        "{}?launcher=true&ipver={}&port={}",
+        mr_auth::authenticate_begin_flow(),
+        if auth_code_recv_socket.is_ipv4() {
+            "4"
+        } else {
+            "6"
+        },
+        auth_code_recv_socket.port()
+    );

-    let window = tauri::WebviewWindowBuilder::new(
-        &app,
-        "modrinth-signin",
-        tauri::WebviewUrl::External(redirect_uri.parse().map_err(|_| {
-            theseus::ErrorKind::OtherError(
-                "Error parsing auth redirect URL".to_string(),
+    app.opener()
+        .open_url(auth_request_uri, None::<&str>)
+        .map_err(|e| {
+            TheseusSerializableError::Theseus(
+                theseus::ErrorKind::OtherError(format!(
+                    "Failed to open auth request URI: {e}"
+                ))
+                .into(),
            )
-            .as_error()
-        })?),
-    )
-    .min_inner_size(420.0, 632.0)
-    .inner_size(420.0, 632.0)
-    .max_inner_size(420.0, 632.0)
-    .zoom_hotkeys_enabled(false)
-    .title("Sign into Modrinth")
-    .always_on_top(true)
-    .center()
-    .build()?;
+        })?;

-    window.request_user_attention(Some(UserAttentionType::Critical))?;
+    let Some(auth_code) = auth_code.await.unwrap()? else {
+        return Err(TheseusSerializableError::Theseus(
+            theseus::ErrorKind::OtherError("Login canceled".into()).into(),
+        ));
+    };

-    while (Utc::now() - start) < Duration::minutes(10) {
-        if window.title().is_err() {
-            // user closed window, cancelling flow
-            return Ok(None);
-        }
+    let credentials = mr_auth::authenticate_finish_flow(&auth_code).await?;

-        if window
-            .url()?
-            .as_str()
-            .starts_with("https://launcher-files.modrinth.com")
-        {
-            let url = window.url()?;
-
-            let code = url.query_pairs().find(|(key, _)| key == "code");
-
-            window.close()?;
-
-            return if let Some((_, code)) = code {
-                let val = mr_auth::authenticate_finish_flow(&code).await?;
-
-                Ok(Some(val))
-            } else {
-                Ok(None)
-            };
-        }
-
-        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
+    if let Some(main_window) = app.get_window("main") {
+        main_window.set_focus().ok();
    }

-    window.close()?;
-    Ok(None)
+    Ok(credentials)
 }

 #[tauri::command]
@@ -85,3 +76,8 @@ pub async fn logout() -> Result<()> {
 pub async fn get() -> Result<Option<ModrinthCredentials>> {
    Ok(theseus::mr_auth::get_credentials().await?)
 }
+
+#[tauri::command]
+pub fn cancel_modrinth_login() {
+    oauth_utils::auth_code_reply::stop_listeners();
+}
--- a/apps/app/src/api/oauth_utils/auth_code_reply.rs
+++ b/apps/app/src/api/oauth_utils/auth_code_reply.rs
@@ -0,0 +1,159 @@
+//! A minimal OAuth 2.0 authorization code grant flow redirection/reply loopback URI HTTP
+//! server implementation, compliant with [RFC 6749]'s authorization code grant flow and
+//! [RFC 8252]'s best current practices for OAuth 2.0 in native apps.
+//!
+//! This server is needed for the step 4 of the OAuth authentication dance represented in
+//! figure 1 of [RFC 8252].
+//!
+//! Further reading: https://www.oauth.com/oauth2-servers/oauth-native-apps/redirect-urls-for-native-apps/
+//!
+//! [RFC 6749]: https://datatracker.ietf.org/doc/html/rfc6749
+//! [RFC 8252]: https://datatracker.ietf.org/doc/html/rfc8252
+
+use std::{
+    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
+    sync::{LazyLock, Mutex},
+    time::Duration,
+};
+
+use hyper::body::Incoming;
+use hyper_util::rt::{TokioIo, TokioTimer};
+use theseus::ErrorKind;
+use tokio::{
+    net::TcpListener,
+    sync::{broadcast, oneshot},
+};
+
+static SERVER_SHUTDOWN: LazyLock<broadcast::Sender<()>> =
+    LazyLock::new(|| broadcast::channel(1024).0);
+
+/// Starts a temporary HTTP server to receive OAuth 2.0 authorization code grant flow redirects
+/// on a loopback interface with an ephemeral port. The caller can know the bound socket address
+/// by listening on the counterpart channel for `listen_socket_tx`.
+///
+/// If the server is stopped before receiving an authorization code, `Ok(None)` is returned.
+pub async fn listen(
+    listen_socket_tx: oneshot::Sender<Result<SocketAddr, theseus::Error>>,
+) -> Result<Option<String>, theseus::Error> {
+    // IPv4 is tried first for the best compatibility and performance with most systems.
+    // IPv6 is also tried in case IPv4 is not available. Resolving "localhost" is avoided
+    // to prevent failures deriving from improper name resolution setup. Any available
+    // ephemeral port is used to prevent conflicts with other services. This is all as per
+    // RFC 8252's recommendations
+    const ANY_LOOPBACK_SOCKET: &[SocketAddr] = &[
+        SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 0),
+        SocketAddr::new(IpAddr::V6(Ipv6Addr::LOCALHOST), 0),
+    ];
+
+    let listener = match TcpListener::bind(ANY_LOOPBACK_SOCKET).await {
+        Ok(listener) => {
+            listen_socket_tx
+                .send(listener.local_addr().map_err(|e| {
+                    ErrorKind::OtherError(format!(
+                        "Failed to get auth code reply socket address: {e}"
+                    ))
+                    .into()
+                }))
+                .ok();
+
+            listener
+        }
+        Err(e) => {
+            let error_msg =
+                format!("Failed to bind auth code reply socket: {e}");
+
+            listen_socket_tx
+                .send(Err(ErrorKind::OtherError(error_msg.clone()).into()))
+                .ok();
+
+            return Err(ErrorKind::OtherError(error_msg).into());
+        }
+    };
+
+    let mut auth_code = Mutex::new(None);
+    let mut shutdown_notification = SERVER_SHUTDOWN.subscribe();
+
+    while auth_code.get_mut().unwrap().is_none() {
+        let client_socket = tokio::select! {
+            biased;
+            _ = shutdown_notification.recv() => {
+                break;
+            }
+            conn_accept_result = listener.accept() => {
+                match conn_accept_result {
+                    Ok((socket, _)) => socket,
+                    Err(e) => {
+                        tracing::warn!("Failed to accept auth code reply: {e}");
+                        continue;
+                    }
+                }
+            }
+        };
+
+        if let Err(e) = hyper::server::conn::http1::Builder::new()
+            .keep_alive(false)
+            .header_read_timeout(Duration::from_secs(5))
+            .timer(TokioTimer::new())
+            .auto_date_header(false)
+            .serve_connection(
+                TokioIo::new(client_socket),
+                hyper::service::service_fn(|req| handle_reply(req, &auth_code)),
+            )
+            .await
+        {
+            tracing::warn!("Failed to handle auth code reply: {e}");
+        }
+    }
+
+    Ok(auth_code.into_inner().unwrap())
+}
+
+/// Stops any active OAuth 2.0 authorization code grant flow reply listening HTTP servers.
+pub fn stop_listeners() {
+    SERVER_SHUTDOWN.send(()).ok();
+}
+
+async fn handle_reply(
+    req: hyper::Request<Incoming>,
+    auth_code_out: &Mutex<Option<String>>,
+) -> Result<hyper::Response<String>, hyper::http::Error> {
+    if req.method() != hyper::Method::GET {
+        return hyper::Response::builder()
+            .status(hyper::StatusCode::METHOD_NOT_ALLOWED)
+            .header("Allow", "GET")
+            .body("".into());
+    }
+
+    // The authorization code is guaranteed to be sent as a "code" query parameter
+    // in the request URI query string as per RFC 6749 § 4.1.2
+    let auth_code = req.uri().query().and_then(|query_string| {
+        query_string
+            .split('&')
+            .filter_map(|query_pair| query_pair.split_once('='))
+            .find_map(|(key, value)| (key == "code").then_some(value))
+    });
+
+    let response = if let Some(auth_code) = auth_code {
+        *auth_code_out.lock().unwrap() = Some(auth_code.to_string());
+
+        hyper::Response::builder()
+            .status(hyper::StatusCode::OK)
+            .header("Content-Type", "text/html;charset=utf-8")
+            .body(
+                include_str!("auth_code_reply/page.html")
+                    .replace("{{title}}", "Success")
+                    .replace("{{message}}", "You have successfully signed in! You can close this page now."),
+            )
+    } else {
+        hyper::Response::builder()
+            .status(hyper::StatusCode::BAD_REQUEST)
+            .header("Content-Type", "text/html;charset=utf-8")
+            .body(
+                include_str!("auth_code_reply/page.html")
+                    .replace("{{title}}", "Error")
+                    .replace("{{message}}", "Authorization code not found. Please try signing in again."),
+            )
+    }?;
+
+    Ok(response)
+}
--- a/apps/app/src/api/oauth_utils/auth_code_reply/page.html
+++ b/apps/app/src/api/oauth_utils/auth_code_reply/page.html
--- a/apps/app/src/api/oauth_utils/mod.rs
+++ b/apps/app/src/api/oauth_utils/mod.rs
@@ -0,0 +1,3 @@
+//! Assorted utilities for OAuth 2.0 authorization flows.
+
+pub mod auth_code_reply;
--- a/apps/app/tauri.conf.json
+++ b/apps/app/tauri.conf.json
@@ -63,6 +63,7 @@
        "height": 800,
        "resizable": true,
        "title": "Modrinth App",
+        "label": "main",
        "width": 1280,
        "minHeight": 700,
        "minWidth": 1100,
--- a/apps/daedalus_client/Dockerfile
+++ b/apps/daedalus_client/Dockerfile
@@ -1,9 +1,19 @@
+# syntax=docker/dockerfile:1
+
 FROM rust:1.88.0 AS build

 WORKDIR /usr/src/daedalus
 COPY . .
-RUN cargo build --release --package daedalus_client
+RUN --mount=type=cache,target=/usr/src/daedalus/target \
+  --mount=type=cache,target=/usr/local/cargo/git/db \
+  --mount=type=cache,target=/usr/local/cargo/registry \
+  cargo build --release --package daedalus_client

+FROM build AS artifacts
+
+RUN --mount=type=cache,target=/usr/src/daedalus/target \
+  mkdir /daedalus \
+  && cp /usr/src/daedalus/target/release/daedalus_client /daedalus/daedalus_client

 FROM debian:bookworm-slim

@@ -11,7 +21,7 @@ RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates openssl \
  && rm -rf /var/lib/apt/lists/*

-COPY --from=build /usr/src/daedalus/target/release/daedalus_client /daedalus/daedalus_client
-WORKDIR /daedalus_client
+COPY --from=artifacts /daedalus /daedalus

-CMD /daedalus/daedalus_client
+WORKDIR /daedalus_client
+CMD ["/daedalus/daedalus_client"]
--- a/apps/frontend/src/components/ui/moderation/ModpackPermissionsFlow.vue
+++ b/apps/frontend/src/components/ui/moderation/ModpackPermissionsFlow.vue
@@ -8,7 +8,7 @@
    <div v-if="!modPackData">Loading data...</div>

    <div v-else-if="modPackData.length === 0">
-      <p>All permissions obtained. You may skip this step!</p>
+      <p>All permissions already obtained.</p>
    </div>

    <div v-else-if="!modPackData[currentIndex]">
@@ -157,7 +157,7 @@ import type {
 } from "@modrinth/utils";
 import { ButtonStyled } from "@modrinth/ui";
 import { ref, computed, watch, onMounted } from "vue";
-import { useLocalStorage } from "@vueuse/core";
+import { useLocalStorage, useSessionStorage } from "@vueuse/core";

 const props = defineProps<{
  projectId: string;
@@ -182,7 +182,26 @@ const persistedModPackData = useLocalStorage<ModerationModpackItem[] | null>(

 const persistedIndex = useLocalStorage<number>(`modpack-permissions-index-${props.projectId}`, 0);

-const modPackData = ref<ModerationModpackItem[] | null>(null);
+const modPackData = useSessionStorage<ModerationModpackItem[] | null>(
+  `modpack-permissions-data-${props.projectId}`,
+  null,
+  {
+    serializer: {
+      read: (v: any) => (v ? JSON.parse(v) : null),
+      write: (v: any) => JSON.stringify(v),
+    },
+  },
+);
+const permanentNoFiles = useSessionStorage<ModerationModpackItem[]>(
+  `modpack-permissions-permanent-no-${props.projectId}`,
+  [],
+  {
+    serializer: {
+      read: (v: any) => (v ? JSON.parse(v) : []),
+      write: (v: any) => JSON.stringify(v),
+    },
+  },
+);
 const currentIndex = ref(0);

 const fileApprovalTypes: ModerationModpackPermissionApprovalType[] = [
@@ -251,7 +270,45 @@ async function fetchModPackData(): Promise<void> {
    const data = (await useBaseFetch(`moderation/project/${props.projectId}`, {
      internal: true,
    })) as ModerationModpackResponse;
+
+    const permanentNoItems: ModerationModpackItem[] = Object.entries(data.identified || {})
+      .filter(([_, file]) => file.status === "permanent-no")
+      .map(
+        ([sha1, file]): ModerationModpackItem => ({
+          sha1,
+          file_name: file.file_name,
+          type: "identified",
+          status: file.status,
+          approved: null,
+        }),
+      )
+      .sort((a, b) => a.file_name.localeCompare(b.file_name));
+
+    permanentNoFiles.value = permanentNoItems;
+
    const sortedData: ModerationModpackItem[] = [
+      ...Object.entries(data.identified || {})
+        .filter(
+          ([_, file]) =>
+            file.status !== "yes" &&
+            file.status !== "with-attribution-and-source" &&
+            file.status !== "permanent-no",
+        )
+        .map(
+          ([sha1, file]): ModerationModpackItem => ({
+            sha1,
+            file_name: file.file_name,
+            type: "identified",
+            status: file.status,
+            approved: null,
+            ...(file.status === "unidentified" && {
+              proof: "",
+              url: "",
+              title: "",
+            }),
+          }),
+        )
+        .sort((a, b) => a.file_name.localeCompare(b.file_name)),
      ...Object.entries(data.unknown_files || {})
        .map(
          ([sha1, fileName]): ModerationUnknownModpackItem => ({
@@ -310,6 +367,7 @@ async function fetchModPackData(): Promise<void> {
  } catch (error) {
    console.error("Failed to fetch modpack data:", error);
    modPackData.value = [];
+    permanentNoFiles.value = [];
    persistAll();
  }
 }
@@ -321,6 +379,14 @@ function goToPrevious(): void {
  }
 }

+watch(
+  modPackData,
+  (newValue) => {
+    persistedModPackData.value = newValue;
+  },
+  { deep: true },
+);
+
 function goToNext(): void {
  if (modPackData.value && currentIndex.value < modPackData.value.length) {
    currentIndex.value++;
@@ -396,6 +462,17 @@ onMounted(() => {
  }
 });

+watch(
+  modPackData,
+  (newValue) => {
+    if (newValue && newValue.length === 0) {
+      emit("complete");
+      clearPersistedData();
+    }
+  },
+  { immediate: true },
+);
+
 watch(
  () => props.projectId,
  () => {
@@ -406,6 +483,20 @@ watch(
    }
  },
 );
+
+function getModpackFiles(): {
+  interactive: ModerationModpackItem[];
+  permanentNo: ModerationModpackItem[];
+} {
+  return {
+    interactive: modPackData.value || [],
+    permanentNo: permanentNoFiles.value,
+  };
+}
+
+defineExpose({
+  getModpackFiles,
+});
 </script>

 <style scoped>
--- a/apps/frontend/src/components/ui/moderation/NewModerationChecklist.vue
+++ b/apps/frontend/src/components/ui/moderation/NewModerationChecklist.vue
@@ -240,24 +240,6 @@
            </div>

            <div v-else-if="generatedMessage" class="flex items-center gap-2">
-              <OverflowMenu :options="stageOptions" class="bg-transparent p-0">
-                <ButtonStyled circular>
-                  <button v-tooltip="`Stages`">
-                    <ListBulletedIcon />
-                  </button>
-                </ButtonStyled>
-
-                <template
-                  v-for="opt in stageOptions.filter(
-                    (opt) => 'id' in opt && 'text' in opt && 'icon' in opt,
-                  )"
-                  #[opt.id]
-                  :key="opt.id"
-                >
-                  <component :is="opt.icon" v-if="opt.icon" class="mr-2" />
-                  {{ opt.text }}
-                </template>
-              </OverflowMenu>
              <ButtonStyled>
                <button @click="goBackToStages">
                  <LeftArrowIcon aria-hidden="true" />
@@ -368,21 +350,26 @@ import {
  DropdownSelect,
  MarkdownEditor,
 } from "@modrinth/ui";
-import { type Project, renderHighlightedString, type ModerationJudgements } from "@modrinth/utils";
+import {
+  type Project,
+  renderHighlightedString,
+  type ModerationJudgements,
+  type ModerationModpackItem,
+} from "@modrinth/utils";
 import { computedAsync, useLocalStorage } from "@vueuse/core";
-import type {
-  Action,
-  MultiSelectChipsAction,
-  DropdownAction,
-  ButtonAction,
-  ToggleAction,
-  ConditionalButtonAction,
-  Stage,
+import {
+  type Action,
+  type MultiSelectChipsAction,
+  type DropdownAction,
+  type ButtonAction,
+  type ToggleAction,
+  type ConditionalButtonAction,
+  type Stage,
+  finalPermissionMessages,
 } from "@modrinth/moderation";
+import * as prettier from "prettier";
 import ModpackPermissionsFlow from "./ModpackPermissionsFlow.vue";
 import KeybindsModal from "./ChecklistKeybindsModal.vue";
-import { finalPermissionMessages } from "@modrinth/moderation/data/modpack-permissions-stage";
-import prettier from "prettier";

 const keybindsModal = ref<InstanceType<typeof KeybindsModal>>();

@@ -419,7 +406,6 @@ const done = ref(false);

 function handleModpackPermissionsComplete() {
  modpackPermissionsComplete.value = true;
-  nextStage();
 }

 const emit = defineEmits<{
@@ -823,6 +809,31 @@ const isAnyVisibleInputs = computed(() => {
  });
 });

+function getModpackFilesFromStorage(): {
+  interactive: ModerationModpackItem[];
+  permanentNo: ModerationModpackItem[];
+} {
+  try {
+    const sessionData = sessionStorage.getItem(`modpack-permissions-data-${props.project.id}`);
+    const interactive = sessionData ? (JSON.parse(sessionData) as ModerationModpackItem[]) : [];
+
+    const permanentNoData = sessionStorage.getItem(
+      `modpack-permissions-permanent-no-${props.project.id}`,
+    );
+    const permanentNo = permanentNoData
+      ? (JSON.parse(permanentNoData) as ModerationModpackItem[])
+      : [];
+
+    return {
+      interactive: interactive || [],
+      permanentNo: permanentNo || [],
+    };
+  } catch (error) {
+    console.warn("Failed to parse session storage modpack data:", error);
+    return { interactive: [], permanentNo: [] };
+  }
+}
+
 async function assembleFullMessage() {
  const messageParts: MessagePart[] = [];

@@ -1092,13 +1103,14 @@ async function generateMessage() {
    const baseMessage = await assembleFullMessage();
    let fullMessage = baseMessage;

-    if (
-      props.project.project_type === "modpack" &&
-      Object.keys(modpackJudgements.value).length > 0
-    ) {
-      const modpackMessage = generateModpackMessage(modpackJudgements.value);
-      if (modpackMessage) {
-        fullMessage = baseMessage ? `${baseMessage}\n\n${modpackMessage}` : modpackMessage;
+    if (props.project.project_type === "modpack") {
+      const modpackFilesData = getModpackFilesFromStorage();
+
+      if (modpackFilesData.interactive.length > 0 || modpackFilesData.permanentNo.length > 0) {
+        const modpackMessage = generateModpackMessage(modpackFilesData);
+        if (modpackMessage) {
+          fullMessage = baseMessage ? `${baseMessage}\n\n${modpackMessage}` : modpackMessage;
+        }
      }
    }

@@ -1129,25 +1141,32 @@ async function generateMessage() {
  }
 }

-function generateModpackMessage(judgements: ModerationJudgements) {
+function generateModpackMessage(allFiles: {
+  interactive: ModerationModpackItem[];
+  permanentNo: ModerationModpackItem[];
+}) {
  const issues = [];

-  const attributeMods = [];
-  const noMods = [];
-  const permanentNoMods = [];
-  const unidentifiedMods = [];
+  const attributeMods: string[] = [];
+  const noMods: string[] = [];
+  const permanentNoMods: string[] = [];
+  const unidentifiedMods: string[] = [];

-  for (const [, judgement] of Object.entries(judgements)) {
-    if (judgement.status === "with-attribution") {
-      attributeMods.push(judgement.file_name);
-    } else if (judgement.status === "no") {
-      noMods.push(judgement.file_name);
-    } else if (judgement.status === "permanent-no") {
-      permanentNoMods.push(judgement.file_name);
-    } else if (judgement.status === "unidentified") {
-      unidentifiedMods.push(judgement.file_name);
+  allFiles.interactive.forEach((file) => {
+    if (file.status === "unidentified") {
+      if (file.approved === "no") {
+        unidentifiedMods.push(file.file_name);
+      }
+    } else if (file.status === "with-attribution" && file.approved === "no") {
+      attributeMods.push(file.file_name);
+    } else if (file.status === "no" && file.approved === "no") {
+      noMods.push(file.file_name);
    }
-  }
+  });
+
+  allFiles.permanentNo.forEach((file) => {
+    permanentNoMods.push(file.file_name);
+  });

  if (
    attributeMods.length > 0 ||
@@ -1157,6 +1176,12 @@ function generateModpackMessage(judgements: ModerationJudgements) {
  ) {
    issues.push("## Copyrighted content");

+    if (unidentifiedMods.length > 0) {
+      issues.push(
+        `${finalPermissionMessages.unidentified}\n${unidentifiedMods.map((mod) => `- ${mod}`).join("\n")}`,
+      );
+    }
+
    if (attributeMods.length > 0) {
      issues.push(
        `${finalPermissionMessages["with-attribution"]}\n${attributeMods.map((mod) => `- ${mod}`).join("\n")}`,
@@ -1172,12 +1197,6 @@ function generateModpackMessage(judgements: ModerationJudgements) {
        `${finalPermissionMessages["permanent-no"]}\n${permanentNoMods.map((mod) => `- ${mod}`).join("\n")}`,
      );
    }
-
-    if (unidentifiedMods.length > 0) {
-      issues.push(
-        `${finalPermissionMessages["unidentified"]}\n${unidentifiedMods.map((mod) => `- ${mod}`).join("\n")}`,
-      );
-    }
  }

  return issues.join("\n\n");
--- a/apps/frontend/src/components/ui/report/ReportsList.vue
+++ b/apps/frontend/src/components/ui/report/ReportsList.vue
@@ -1,13 +1,21 @@
 <template>
+  <template v-if="moderation">
+    <Chips v-model="reasonFilter" :items="reasons" />
+    <p v-if="reports.length === MAX_REPORTS" class="text-red">
+      There are at least {{ MAX_REPORTS }} open reports. This page is at its max reports and will
+      not show any more recent ones.
+    </p>
+    <p v-else-if="reasonFilter === 'All'">There are {{ filteredReports.length }} open reports.</p>
+    <p v-else>
+      There are {{ filteredReports.length }}/{{ reports.length }} open '{{ reasonFilter }}' reports.
+    </p>
+  </template>
  <ReportInfo
-    v-for="report in reports.filter(
-      (x) =>
-        (moderation || x.reporterUser.id === auth.user.id) &&
-        (viewMode === 'open' ? x.open : !x.open),
-    )"
+    v-for="report in filteredReports"
    :key="report.id"
    :report="report"
    :thread="report.thread"
+    :show-message="false"
    :moderation="moderation"
    raised
    :auth="auth"
@@ -16,11 +24,12 @@
  <p v-if="reports.length === 0">You don't have any active reports.</p>
 </template>
 <script setup>
+import { Chips } from "@modrinth/ui";
 import ReportInfo from "~/components/ui/report/ReportInfo.vue";
 import { addReportMessage } from "~/helpers/threads.js";
 import { asEncodedJsonArray, fetchSegmented } from "~/utils/fetch-helpers.ts";

-defineProps({
+const props = defineProps({
  moderation: {
    type: Boolean,
    default: false,
@@ -32,9 +41,14 @@ defineProps({
 });

 const viewMode = ref("open");
+const reasonFilter = ref("All");
 const reports = ref([]);

-let { data: rawReports } = await useAsyncData("report", () => useBaseFetch("report?count=1000"));
+const MAX_REPORTS = 1500;
+
+let { data: rawReports } = await useAsyncData("report", () =>
+  useBaseFetch(`report?count=${MAX_REPORTS}`),
+);

 rawReports = rawReports.value.map((report) => {
  report.item_id = report.item_id.replace(/"/g, "");
@@ -51,6 +65,7 @@ const userIds = [...new Set(reporterUsers.concat(reportedUsers))];
 const threadIds = [
  ...new Set(rawReports.filter((report) => report.thread_id).map((report) => report.thread_id)),
 ];
+const reasons = ["All", ...new Set(rawReports.map((report) => report.report_type))];

 const [{ data: users }, { data: versions }, { data: threads }] = await Promise.all([
  await useAsyncData(`users?ids=${JSON.stringify(userIds)}`, () =>
@@ -93,4 +108,13 @@ reports.value = rawReports.map((report) => {
  report.open = true;
  return report;
 });
+
+const filteredReports = computed(() =>
+  reports.value?.filter(
+    (x) =>
+      (props.moderation || x.reporterUser.id === props.auth.user.id) &&
+      (viewMode.value === "open" ? x.open : !x.open) &&
+      (reasonFilter.value === "All" || reasonFilter.value === x.report_type),
+  ),
+);
 </script>
--- a/apps/frontend/src/pages/auth/sign-in.vue
+++ b/apps/frontend/src/pages/auth/sign-in.vue
@@ -1,6 +1,12 @@
 <template>
-  <div>
-    <template v-if="flow">
+  <div v-if="subtleLauncherRedirectUri">
+    <iframe
+      :src="subtleLauncherRedirectUri"
+      class="fixed left-0 top-0 z-[9999] m-0 h-full w-full border-0 p-0"
+    ></iframe>
+  </div>
+  <div v-else>
+    <template v-if="flow && !subtleLauncherRedirectUri">
      <label for="two-factor-code">
        <span class="label__title">{{ formatMessage(messages.twoFactorCodeLabel) }}</span>
        <span class="label__description">
@@ -189,6 +195,7 @@ const auth = await useAuth();
 const route = useNativeRoute();

 const redirectTarget = route.query.redirect || "";
+const subtleLauncherRedirectUri = ref();

 if (route.query.code && !route.fullPath.includes("new_account=true")) {
  await finishSignIn();
@@ -262,7 +269,32 @@ async function begin2FASignIn() {

 async function finishSignIn(token) {
  if (route.query.launcher) {
-    await navigateTo(`https://launcher-files.modrinth.com/?code=${token}`, { external: true });
+    if (!token) {
+      token = auth.value.token;
+    }
+
+    const usesLocalhostRedirectionScheme =
+      ["4", "6"].includes(route.query.ipver) && Number(route.query.port) < 65536;
+
+    const redirectUrl = usesLocalhostRedirectionScheme
+      ? `http://${route.query.ipver === "4" ? "127.0.0.1" : "[::1]"}:${route.query.port}/?code=${token}`
+      : `https://launcher-files.modrinth.com/?code=${token}`;
+
+    if (usesLocalhostRedirectionScheme) {
+      // When using this redirection scheme, the auth token is very visible in the URL to the user.
+      // While we could make it harder to find with a POST request, such is security by obscurity:
+      // the user and other applications would still be able to sniff the token in the request body.
+      // So, to make the UX a little better by not changing the displayed URL, while keeping the
+      // token hidden from very casual observation and keeping the protocol as close to OAuth's
+      // standard flows as possible, let's execute the redirect within an iframe that visually
+      // covers the entire page.
+      subtleLauncherRedirectUri.value = redirectUrl;
+    } else {
+      await navigateTo(redirectUrl, {
+        external: true,
+      });
+    }
+
    return;
  }

--- a/apps/frontend/src/pages/auth/sign-up.vue
+++ b/apps/frontend/src/pages/auth/sign-up.vue
@@ -247,16 +247,14 @@ async function createAccount() {
      },
    });

-    if (route.query.launcher) {
-      await navigateTo(`https://launcher-files.modrinth.com/?code=${res.session}`, {
-        external: true,
-      });
-      return;
-    }
-
    await useAuth(res.session);
    await useUser();

+    if (route.query.launcher) {
+      await navigateTo({ path: "/auth/sign-in", query: route.query });
+      return;
+    }
+
    if (route.query.redirect) {
      await navigateTo(route.query.redirect);
    } else {
--- a/apps/labrinth/Dockerfile
+++ b/apps/labrinth/Dockerfile
@@ -1,8 +1,21 @@
+# syntax=docker/dockerfile:1
+
 FROM rust:1.88.0 AS build

 WORKDIR /usr/src/labrinth
 COPY . .
-RUN SQLX_OFFLINE=true cargo build --release --package labrinth
+RUN --mount=type=cache,target=/usr/src/labrinth/target \
+  --mount=type=cache,target=/usr/local/cargo/git/db \
+  --mount=type=cache,target=/usr/local/cargo/registry \
+  SQLX_OFFLINE=true cargo build --release --package labrinth
+
+FROM build AS artifacts
+
+RUN --mount=type=cache,target=/usr/src/labrinth/target \
+  mkdir /labrinth \
+  && cp /usr/src/labrinth/target/release/labrinth /labrinth/labrinth \
+  && cp -r /usr/src/labrinth/apps/labrinth/migrations /labrinth \
+  && cp -r /usr/src/labrinth/apps/labrinth/assets /labrinth

 FROM debian:bookworm-slim

@@ -14,10 +27,8 @@ RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates dumb-init curl \
  && rm -rf /var/lib/apt/lists/*

-COPY --from=build /usr/src/labrinth/target/release/labrinth /labrinth/labrinth
-COPY --from=build /usr/src/labrinth/apps/labrinth/migrations/* /labrinth/migrations/
-COPY --from=build /usr/src/labrinth/apps/labrinth/assets /labrinth/assets
-WORKDIR /labrinth
+COPY --from=artifacts /labrinth /labrinth

+WORKDIR /labrinth
 ENTRYPOINT ["dumb-init", "--"]
 CMD ["/labrinth/labrinth"]
--- a/packages/app-lib/src/state/minecraft_auth.rs
+++ b/packages/app-lib/src/state/minecraft_auth.rs
@@ -85,21 +85,18 @@ pub struct MinecraftLoginFlow {
    pub verifier: String,
    pub challenge: String,
    pub session_id: String,
-    pub redirect_uri: String,
+    pub auth_request_uri: String,
 }

 #[tracing::instrument]
 pub async fn login_begin(
    exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite> + Copy,
 ) -> crate::Result<MinecraftLoginFlow> {
-    let (pair, current_date, valid_date) =
-        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), false, exec)
-            .await?;
+    let (pair, current_date) =
+        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), exec).await?;

    let verifier = generate_oauth_challenge();
-    let mut hasher = sha2::Sha256::new();
-    hasher.update(&verifier);
-    let result = hasher.finalize();
+    let result = sha2::Sha256::digest(&verifier);
    let challenge = BASE64_URL_SAFE_NO_PAD.encode(result);

    match sisu_authenticate(
@@ -110,46 +107,15 @@ pub async fn login_begin(
    )
    .await
    {
-        Ok((session_id, redirect_uri)) => Ok(MinecraftLoginFlow {
-            verifier,
-            challenge,
-            session_id,
-            redirect_uri: redirect_uri.value.msa_oauth_redirect,
-        }),
-        Err(err) => {
-            if !valid_date {
-                let (pair, current_date, _) =
-                    DeviceTokenPair::refresh_and_get_device_token(
-                        Utc::now(),
-                        false,
-                        exec,
-                    )
-                    .await?;
-
-                let verifier = generate_oauth_challenge();
-                let mut hasher = sha2::Sha256::new();
-                hasher.update(&verifier);
-                let result = hasher.finalize();
-                let challenge = BASE64_URL_SAFE_NO_PAD.encode(result);
-
-                let (session_id, redirect_uri) = sisu_authenticate(
-                    &pair.token.token,
-                    &challenge,
-                    &pair.key,
-                    current_date,
-                )
-                .await?;
-
-                Ok(MinecraftLoginFlow {
-                    verifier,
-                    challenge,
-                    session_id,
-                    redirect_uri: redirect_uri.value.msa_oauth_redirect,
-                })
-            } else {
-                Err(crate::ErrorKind::from(err).into())
-            }
+        Ok((session_id, redirect_uri)) => {
+            return Ok(MinecraftLoginFlow {
+                verifier,
+                challenge,
+                session_id,
+                auth_request_uri: redirect_uri.value.msa_oauth_redirect,
+            });
        }
+        Err(err) => return Err(crate::ErrorKind::from(err).into()),
    }
 }

@@ -159,9 +125,8 @@ pub async fn login_finish(
    flow: MinecraftLoginFlow,
    exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite> + Copy,
 ) -> crate::Result<Credentials> {
-    let (pair, _, _) =
-        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), false, exec)
-            .await?;
+    let (pair, _) =
+        DeviceTokenPair::refresh_and_get_device_token(Utc::now(), exec).await?;

    let oauth_token = oauth_token(code, &flow.verifier).await?;
    let sisu_authorize = sisu_authorize(
@@ -267,10 +232,9 @@ impl Credentials {
        }

        let oauth_token = oauth_refresh(&self.refresh_token).await?;
-        let (pair, current_date, _) =
+        let (pair, current_date) =
            DeviceTokenPair::refresh_and_get_device_token(
                oauth_token.date,
-                false,
                exec,
            )
            .await?;
@@ -633,21 +597,20 @@ impl DeviceTokenPair {
    #[tracing::instrument(skip(exec))]
    async fn refresh_and_get_device_token(
        current_date: DateTime<Utc>,
-        force_generate: bool,
        exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite> + Copy,
-    ) -> crate::Result<(Self, DateTime<Utc>, bool)> {
+    ) -> crate::Result<(Self, DateTime<Utc>)> {
        let pair = Self::get(exec).await?;

        if let Some(mut pair) = pair {
-            if pair.token.not_after > Utc::now() && !force_generate {
-                Ok((pair, current_date, false))
+            if pair.token.not_after > current_date {
+                Ok((pair, current_date))
            } else {
                let res = device_token(&pair.key, current_date).await?;

                pair.token = res.value;
                pair.upsert(exec).await?;

-                Ok((pair, res.date, true))
+                Ok((pair, res.date))
            }
        } else {
            let key = generate_key()?;
@@ -660,7 +623,7 @@ impl DeviceTokenPair {

            pair.upsert(exec).await?;

-            Ok((pair, res.date, true))
+            Ok((pair, res.date))
        }
    }

@@ -758,8 +721,8 @@ impl DeviceTokenPair {
 }

 const MICROSOFT_CLIENT_ID: &str = "00000000402b5328";
-const REDIRECT_URL: &str = "https://login.live.com/oauth20_desktop.srf";
-const REQUESTED_SCOPES: &str = "service::user.auth.xboxlive.com::MBI_SSL";
+const AUTH_REPLY_URL: &str = "https://login.live.com/oauth20_desktop.srf";
+const REQUESTED_SCOPE: &str = "service::user.auth.xboxlive.com::MBI_SSL";

 struct RequestWithDate<T> {
    pub date: DateTime<Utc>,
@@ -838,7 +801,7 @@ async fn sisu_authenticate(
          "AppId": MICROSOFT_CLIENT_ID,
          "DeviceToken": token,
          "Offers": [
-            REQUESTED_SCOPES
+            REQUESTED_SCOPE
          ],
          "Query": {
            "code_challenge": challenge,
@@ -846,7 +809,7 @@ async fn sisu_authenticate(
            "state": generate_oauth_challenge(),
            "prompt": "select_account"
          },
-          "RedirectUri": REDIRECT_URL,
+          "RedirectUri": AUTH_REPLY_URL,
          "Sandbox": "RETAIL",
          "TokenType": "code",
          "TitleId": "1794566092",
@@ -890,12 +853,12 @@ async fn oauth_token(
    verifier: &str,
 ) -> Result<RequestWithDate<OAuthToken>, MinecraftAuthenticationError> {
    let mut query = HashMap::new();
-    query.insert("client_id", "00000000402b5328");
+    query.insert("client_id", MICROSOFT_CLIENT_ID);
    query.insert("code", code);
    query.insert("code_verifier", verifier);
    query.insert("grant_type", "authorization_code");
-    query.insert("redirect_uri", "https://login.live.com/oauth20_desktop.srf");
-    query.insert("scope", "service::user.auth.xboxlive.com::MBI_SSL");
+    query.insert("redirect_uri", AUTH_REPLY_URL);
+    query.insert("scope", REQUESTED_SCOPE);

    let res = auth_retry(|| {
        REQWEST_CLIENT
@@ -939,11 +902,11 @@ async fn oauth_refresh(
    refresh_token: &str,
 ) -> Result<RequestWithDate<OAuthToken>, MinecraftAuthenticationError> {
    let mut query = HashMap::new();
-    query.insert("client_id", "00000000402b5328");
+    query.insert("client_id", MICROSOFT_CLIENT_ID);
    query.insert("refresh_token", refresh_token);
    query.insert("grant_type", "refresh_token");
-    query.insert("redirect_uri", "https://login.live.com/oauth20_desktop.srf");
-    query.insert("scope", "service::user.auth.xboxlive.com::MBI_SSL");
+    query.insert("redirect_uri", AUTH_REPLY_URL);
+    query.insert("scope", REQUESTED_SCOPE);

    let res = auth_retry(|| {
        REQWEST_CLIENT
@@ -1007,7 +970,7 @@ async fn sisu_authorize(
        "/authorize",
        json!({
            "AccessToken": format!("t={access_token}"),
-            "AppId": "00000000402b5328",
+            "AppId": MICROSOFT_CLIENT_ID,
            "DeviceToken": device_token,
            "ProofKey": {
                "kty": "EC",
--- a/packages/app-lib/src/state/mr_auth.rs
+++ b/packages/app-lib/src/state/mr_auth.rs
@@ -190,7 +190,7 @@ impl ModrinthCredentials {
 }

 pub const fn get_login_url() -> &'static str {
-    concat!(env!("MODRINTH_URL"), "auth/sign-in?launcher=true")
+    concat!(env!("MODRINTH_URL"), "auth/sign-in")
 }

 pub async fn finish_login_flow(
@@ -198,6 +198,12 @@ pub async fn finish_login_flow(
    semaphore: &FetchSemaphore,
    exec: impl sqlx::Executor<'_, Database = sqlx::Sqlite>,
 ) -> crate::Result<ModrinthCredentials> {
+    // The authorization code actually is the access token, since Labrinth doesn't
+    // issue separate authorization codes. Therefore, this is equivalent to an
+    // implicit OAuth grant flow, and no additional exchanging or finalization is
+    // needed. TODO not do this for the reasons outlined at
+    // https://oauth.net/2/grant-types/implicit/
+
    let info = fetch_info(code, semaphore, exec).await?;

    Ok(ModrinthCredentials {
--- a/packages/moderation/data/messages/checklist-text/side_types.md
+++ b/packages/moderation/data/messages/checklist-text/side_types.md
@@ -0,0 +1,2 @@
+**Client:** `%PROJECT_CLIENT_SIDE%` \
+**Server:** `%PROJECT_SERVER_SIDE%`
--- a/packages/moderation/data/messages/slug/misused.md
+++ b/packages/moderation/data/messages/slug/misused.md
@@ -1,3 +1,5 @@
-## Misuse of Slug
+## Misuse of custom URL

-Per section 5.2 of %RULES% must accurately represent your project.
+We ask that you ensure your project's %PROJECT_SLUG_FLINK% accurately represents your project.  
+Your current slug of `%PROJECT_SLUG%` may not accurately match your project's Name or contain excess information.  
+A mismatched URL may make it more difficult for users to find your content. Abbreviations or similar are fine to use if applicable. If your preferred URL is not available, and you cannot find a matching public project, let us know in this moderation thread when you resubmit your project, and our moderation team may be able to free it up for your project.
--- a/packages/moderation/data/messages/status-alerts/private.md
+++ b/packages/moderation/data/messages/status-alerts/private.md
@@ -3,6 +3,6 @@
 ## Private Use

 Under normal circumstances, your project would be rejected due to the issues listed above.  
-However, since your project is not intended for for public use, these requirements will be waived and your project will be unlisted. This means it will remain accessible through a direct link without appearing in public search results, allowing you to share it privately.  
+However, since your project is not intended for public use, these requirements will be waived and your project will be unlisted. This means it will remain accessible through a direct link without appearing in public search results, allowing you to share it privately.  
 If you're okay with this, or submitted your project to be unlisted already, than no further action is necessary.  
 If you would like to publish your project publicly, please address all moderation concerns before resubmitting this project.
--- a/packages/moderation/data/messages/versions/unsupported_project.md
+++ b/packages/moderation/data/messages/versions/unsupported_project.md
@@ -0,0 +1,7 @@
+## Unsupported Project
+
+Unfortunately, Modrinth does not currently support the upload of %INVALID_TYPE%.
+
+If you would like to publish this project in the future and help Modrinth grow, consider creating an [issue](https://github.com/modrinth/code/issues) suggesting support for this type of content.
+
+We appreciate your understanding and look forward to hosting your other creations.
--- a/packages/moderation/data/stages/categories.ts
+++ b/packages/moderation/data/stages/categories.ts
@@ -31,7 +31,9 @@ const categories: Stage = {
      weight: 701,
      suggestedStatus: 'flagged',
      severity: 'low',
-      shouldShow: (project) => project.categories.includes('optimization'),
+      shouldShow: (project) =>
+        project.categories.includes('optimization') ||
+        project.additional_categories.includes('optimization'),
      message: async () =>
        (await import('../messages/categories/inaccurate.md?raw')).default +
        (await import('../messages/categories/optimization_misused.md?raw')).default,
--- a/packages/moderation/data/stages/gallery.ts
+++ b/packages/moderation/data/stages/gallery.ts
@@ -25,6 +25,7 @@ const gallery: Stage = {
      weight: 901,
      suggestedStatus: 'flagged',
      severity: 'low',
+      shouldShow: (project) => project.gallery && project.gallery.length > 0,
      message: async () => (await import('../messages/gallery/not-relevant.md?raw')).default,
    } as ButtonAction,
  ],
--- a/packages/moderation/data/stages/side-types.ts
+++ b/packages/moderation/data/stages/side-types.ts
@@ -7,7 +7,8 @@ const sideTypes: Stage = {
  id: 'environment',
  icon: GlobeIcon,
  guidance_url: 'https://modrinth.com/legal/rules#miscellaneous',
-  navigate: '/settings#side-types',
+  navigate: '/settings',
+  text: async () => (await import('../messages/checklist-text/side_types.md?raw')).default,
  actions: [
    {
      id: 'side_types_inaccurate_modpack',
--- a/packages/moderation/data/stages/versions.ts
+++ b/packages/moderation/data/stages/versions.ts
@@ -150,7 +150,24 @@ const versions: Stage = {
      severity: `medium`,
      weight: 1004,
      message: async () => (await import('../messages/versions/broken_version.md?raw')).default,
-    },
+    } as ButtonAction,
+    {
+      id: 'unsupported_project_type',
+      type: 'button',
+      label: `Unsupported`,
+      suggestedStatus: `rejected`,
+      severity: `medium`,
+      weight: 1005,
+      message: async () =>
+        (await import('../messages/versions/unsupported_project.md?raw')).default,
+      relevantExtraInput: [
+        {
+          label: 'Project Type',
+          required: true,
+          variable: 'INVALID_TYPE',
+        },
+      ],
+    } as ButtonAction,
  ],
 }

--- a/packages/moderation/index.ts
+++ b/packages/moderation/index.ts
@@ -3,6 +3,7 @@ export * from './types/messages'
 export * from './types/stage'
 export * from './types/keybinds'
 export * from './utils'
+export { finalPermissionMessages } from './data/modpack-permissions-stage'

 export { default as checklist } from './data/checklist'
 export { default as keybinds } from './data/keybinds'
--- a/packages/moderation/utils.ts
+++ b/packages/moderation/utils.ts
@@ -317,6 +317,11 @@ export function flattenProjectVariables(project: Project): Record<string, string
  vars[`PROJECT_PERMANENT_LINK`] = `https://modrinth.com/project/${project.id}`
  vars[`PROJECT_SETTINGS_LINK`] = `https://modrinth.com/project/${project.id}/settings`
  vars[`PROJECT_SETTINGS_FLINK`] = `[Settings](https://modrinth.com/project/${project.id}/settings)`
+  vars[`PROJECT_TITLE_FLINK`] = `[Name](https://modrinth.com/project/${project.id}/settings)`
+  vars[`PROJECT_SLUG_FLINK`] = `[URL](https://modrinth.com/project/${project.id}/settings)`
+  vars[`PROJECT_SUMMARY_FLINK`] = `[Summary](https://modrinth.com/project/${project.id}/settings)`
+  vars[`PROJECT_ENVIRONMENT_FLINK`] =
+    `[Environment Information](https://modrinth.com/project/${project.id}/settings)`
  vars[`PROJECT_TAGS_LINK`] = `https://modrinth.com/project/${project.id}/settings/tags`
  vars[`PROJECT_TAGS_FLINK`] = `[Tags](https://modrinth.com/project/${project.id}/settings/tags)`
  vars[`PROJECT_DESCRIPTION_LINK`] =
--- a/packages/utils/types.ts
+++ b/packages/utils/types.ts
@@ -315,7 +315,7 @@ export interface ModerationPermissionType {
 export interface ModerationBaseModpackItem {
  sha1: string
  file_name: string
-  type: 'unknown' | 'flame'
+  type: 'unknown' | 'flame' | 'identified'
  status: ModerationModpackPermissionApprovalType['id'] | null
  approved: ModerationPermissionType['id'] | null
 }
@@ -334,9 +334,26 @@ export interface ModerationFlameModpackItem extends ModerationBaseModpackItem {
  url: string
 }

-export type ModerationModpackItem = ModerationUnknownModpackItem | ModerationFlameModpackItem
+export interface ModerationIdentifiedModpackItem extends ModerationBaseModpackItem {
+  type: 'identified'
+  proof?: string
+  url?: string
+  title?: string
+}
+
+export type ModerationModpackItem =
+  | ModerationUnknownModpackItem
+  | ModerationFlameModpackItem
+  | ModerationIdentifiedModpackItem

 export interface ModerationModpackResponse {
+  identified?: Record<
+    string,
+    {
+      file_name: string
+      status: ModerationModpackPermissionApprovalType['id']
+    }
+  >
  unknown_files?: Record<string, string>
  flame_files?: Record<
    string,
@@ -350,8 +367,8 @@ export interface ModerationModpackResponse {
 }

 export interface ModerationJudgement {
-  type: 'flame' | 'unknown'
-  status: string
+  type: 'flame' | 'unknown' | 'identified'
+  status: string | null
  id?: string
  link?: string
  title?: string
Author	SHA1	Message	Date
coolbot100s	54b79148aa	lint fix	2025-07-25 12:42:35 -07:00
coolbot	b5589adb8a	Update unsupported_project.md	2025-07-25 09:26:13 -08:00
coolbot100s	68fafa8e63	Fix misuse of slug message.	2025-07-25 01:18:53 -07:00
coolbot100s	473fe52865	Merge branch 'main' into coolbot/moderation-improvements	2025-07-25 01:05:51 -07:00
coolbot100s	1032b521bf	add unsupported project type message to versions stage	2025-07-25 01:02:36 -07:00
coolbot100s	61d535707d	Only show gallery relevancy button when relevant.	2025-07-25 00:40:06 -07:00
coolbot100s	da41659666	Add info text to env info stage	2025-07-25 00:22:19 -07:00
coolbot100s	8db23d08ea	add more formatted link shortcuts	2025-07-24 22:06:05 -07:00
coolbot100s	95393eca1f	show optimization button when present in additional categories	2025-07-24 20:11:55 -07:00
Prospector	6db1d66591	else if	2025-07-24 10:38:23 -07:00
Prospector	8052fda840	Bump report limit to 1500	2025-07-24 10:37:01 -07:00
IMB11	15892a88d3	fix: handle identified files properly in the checklist (#4004 ) * fix: handle identified files from the backend * fix: allFiles not being emitted after permissions flow completed * fix: properly handle identified projects * fix: jade issues * fix: import * fix: issue with perm gen msgs * fix: incomplete error	2025-07-23 08:34:55 +00:00
coolbot100s	dd06bb0a50	Typo correction	2025-07-23 01:04:06 -07:00
Alejandro González	32793c50e1	feat(app): better external browser Modrinth login flow (#4033 ) * fix(app-frontend): do not emit exceptions when no loaders are available * refactor(app): simplify Microsoft login code without functional changes * feat(app): external browser auth flow for Modrinth account login * chore: address Clippy lint * chore(app/oauth_utils): simplify `handle_reply` error handling according to review * chore(app-lib): simplify `Url` usage out of MC auth module	2025-07-22 22:55:18 +00:00
Alejandro González	0e0ca1971a	chore(ci): switch back to upstream `cache-cargo-install-action` (#4047 )	2025-07-22 22:43:04 +00:00
Alejandro González	bb9af18eed	perf(docker): cache image builds through cache mounts and GHA cache (#4020 ) * perf(docker): cache image builds through cache mounts and GHA cache * tweak(ci/docker): switch to inline registry cache	2025-07-22 22:31:56 +00:00