Files
brass-and-sigil/launcher
Matt 8e00526d27 launcher: refresh Microsoft session right before launch
Microsoft access tokens have a ~1 hour TTL. The launcher cached the
MSession once at sign-in and re-used it on every Play click, so leaving
the launcher open for >1 hour and then hitting Play sent stale
credentials to MC -- Mojang's session check on the server then rejected
the join with "Invalid session".

Fix: in DoLaunchAsync, before assembling the MC launch command, call
_auth.TryAuthenticateSilentlyAsync(). XboxAuthNet's silent flow uses
the cached refresh token (~14 day TTL) to mint a fresh access token
transparently. On success ApplySession swaps in the new MSession and
we launch with valid credentials. On failure (refresh token also
stale) the launcher prompts the player to sign in again -- they keep
the launcher open, hit Sign In, no MC restart needed.

No new dependencies, no UI change beyond the brief "Refreshing
session..." status line, no perf cost beyond the ~500ms HTTP roundtrip
to Microsoft each launch.

Bump the launcher version in launcher/ModpackLauncher.csproj before
publishing so old launcher installs see the upgrade banner.
2026-05-23 16:31:17 +00:00
..

Brass & Sigil Launcher

A custom Minecraft Java Edition launcher built for distributing the private "Brass & Sigil" modpack (Create + aeronautics + tech + magic + Distant Horizons) to a small friend group.

NOT AN OFFICIAL MINECRAFT PRODUCT. NOT APPROVED BY OR ASSOCIATED WITH MOJANG OR MICROSOFT.

What it does

  1. Fetches a JSON manifest from a self-hosted server and syncs the modpack files (mods, configs, resourcepacks) to the player's local install directory. SHA-1 hashing ensures only changed files are downloaded.
  2. Authenticates each player with their own personal Microsoft account via the standard MSAL OAuth + Xbox Live + Minecraft Services chain, using the open-source CmlLib.Core.Auth.Microsoft library without modification.
  3. Installs the appropriate Minecraft Java Edition version and Forge mod loader, then launches the game with the player's authenticated session.

Stack

  • C# / .NET 8
  • Avalonia 12 -- desktop UI
  • CmlLib.Core 4.x -- Minecraft install + launch
  • CmlLib.Core.Auth.Microsoft 3.x + XboxAuthNet.Game.Msal -- Microsoft auth
  • CmlLib.Core.Installer.Forge -- Forge support

Build

Requires the .NET 8 SDK.

dotnet build

To produce the shippable single-file executable (~46 MB):

dotnet publish -c Release -r win-x64 --self-contained true

Output: bin/Release/net8.0/win-x64/publish/ModpackLauncher.exe -- a single file with no other dependencies, ready to send to a friend.

Configuration

The repo ships with a launcher-config.template.json. Copy it to launcher-config.json and fill in real values before building:

Copy-Item launcher-config.template.json launcher-config.json

launcher-config.json is gitignored so local values (manifest URL, Azure client ID) never get committed.

Fields

Field Purpose
packName Display name shown in the launcher
manifestUrl URL of the hosted manifest JSON
installDirName Folder name under %APPDATA% for game files
memoryMinMB / memoryMaxMB JVM memory defaults
msalClientId Azure App Registration client ID for Microsoft auth

The config is embedded into the exe at build time, so the launcher ships as a single self-contained file. A sidecar launcher-config.json placed beside the exe will override the embedded copy at runtime (handy for testing).

Manifest format

See manifest.example.json for the schema. Minimum:

{
  "name": "Brass & Sigil",
  "version": "1.0.0",
  "minecraft": { "version": "1.20.1" },
  "loader": { "type": "forge", "version": "47.2.0" },
  "files": [
    { "path": "mods/example.jar", "url": "https://...", "sha1": "..." }
  ]
}

The launcher diffs the manifest against the local install dir using SHA-1 hashes and downloads only what has changed. Files removed from the manifest are pruned from managed folders (mods/, config/, resourcepacks/, shaderpacks/, kubejs/, defaultconfigs/).

Privacy

The launcher does not collect, store, or transmit any user data beyond what the standard Microsoft and Minecraft authentication APIs require. Auth tokens are cached locally via the MSAL token cache. No telemetry, no analytics, no third-party services beyond Microsoft and Mojang.

Local data is written to:

  • %APPDATA%\BrassAndSigil\ -- launcher settings + log file
  • %APPDATA%\<installDirName>\ -- modpack and Minecraft installation

License

MIT -- see LICENSE.

Author

Matt Sijbers -- https://sijbers.uk/matt / project page