Exposed secret key

As you know, and i quote:

# In my opionion, it is not possible to hide the credentials from a person who really want it
# This little "encryption" ist just to hide it from Bots

The encryption does little to protect your client secret. The way this is supposed to be done is writing your own serverside program that has the secret. Because the server (ideally, lol) cant be accessed by anyone, the secret is safe there. Your client then has to make a request to YOUR server with its oauth code and your server will use the code, secret and clientid to authenticate to the mojang servers. Its very bad practice to leave exposed secret keys, theyre secret for a reason.

I made a smoll flask application using your minecraft-launcher-lib for this:

import os

from flask import Flask
from minecraft_launcher_lib import microsoft_account as ms
from minecraft_launcher_lib import exceptions as mcex

SECRET_KEY = os.environ.get("SECRET_KEY")
CLIENT_ID  = os.environ.get("CLIENT_ID")

if SECRET_KEY == None or CLIENT_ID == None:
    raise SystemExit('SECRET_KEY or CLIENT_ID env variable not provided')

app = Flask(__name__)


# return the oauth url the client will have to access
# the redirect url will be hosted localhost by the client so it can fetch the code automatically
@app.route('/oauth')
def oauth_new():
    return ms.get_login_url(CLIENT_ID, f'http://localhost:6969')


# login with the code the client obtained from the redirect
@app.route('/login/<code>')
def login(code: str):
    try: return ms.complete_login(CLIENT_ID, SECRET_KEY, 'http://localhost:6969', code)
    except KeyError:
        return { 'error': 'failed to login, make sure youre using the right microsoft account' }


# refresh session with refresh token
@app.route('/refresh/<code>')
def refresh(code: str):
    try: return ms.complete_refresh(CLIENT_ID, SECRET_KEY, 'http://localhost:6969', code)
    except KeyError:
        return { 'error': 'failed to login, make sure youre using the right microsoft account or try again later' }
    except mcex.InvalidRefreshToken:
        return { 'error': 'refresh token expired, make sure you select "stay logged in" next time!' }

Thanks for writing the library btw! Hope this helps :)