spt-launcher/docs/auth-flow.md

Personal Authentication Mod Flow

This document details the modifications and features integrated within spt-launcher and server-csharp to support the custom Personal Authentication Mod.

What is Personal Authentication?

Unlike the vanilla SPT launcher which assumes 1 user = 1 machine, Personal Authentication enables multiple isolated accounts. Users register and log in to uniquely generated session IDs via AuthRouter.cs hooking into LauncherCallbacks.

The server-csharp Modifications:

The server's default JSON payload parsing was too strict regarding unmapped JSON structures (like adding a password field).

We addressed this by updating the base interface in SPTarkov.Server.Core:

namespace SPTarkov.Server.Core.Models.Eft.Launcher;

public record LoginRequestData : IRequestData
{
    [JsonPropertyName("username")]
    public string? Username { get; set; }

    [JsonPropertyName("password")]
    public string? Password { get; set; }
}

Now, LoginRequestData natively accepts passwords, allowing Harmony Patches on LauncherCallbacks.Login and LauncherCallbacks.Register to validate against the database gracefully.

Custom Token Session vs Default Random Session Strings

Vanilla SPT creates a random GUID session variable that is used loosely. With SSO:

1. spt-launcher initiates an HTTP POST /launcher/profile/login with username and password.
2. The Database (DatabaseManager.cs) verifies credentials against PostgreSQL passwords (hashed).
3. Returns a specific SessionID mapped directly to that User ID.
4. The launcher preserves this ID in cookies and local cache storage.
5. Sub-requests (Start Client, Fetch Match Profiles) utilize this single, constant Session ID instead of performing a secondary manual profile scan discovery via /launcher/profiles.