Trust Tokens - Remember this computer for X days 2FA#46
Merged
WinterSolstice8 merged 1 commit intoFeb 11, 2026
Conversation
Merged
13 tasks
9001-Sols
changed the title
9001-Sols
commented
Feb 9, 2026
| std::string g_OtpCode = ""; // The OTP code the user input | ||
| char g_SessionHash[16] = {}; // Session hash sent from auth | ||
| std::string g_Email = ""; // Email, currently unused | ||
| std::array<uint8_t, 3> g_VersionNumber = { 2, 0, 1 }; // xiloader version number sent to auth server. Must be x.x.x with single characters for 'x'. Remember to also change in xiloader.rc.in |
Contributor
Author
There was a problem hiding this comment.
I'm guessing I'll need to bump this, but wanted to hear from somebody first on whether it should be a major, minor, or patch bump
Contributor
There was a problem hiding this comment.
make a bump version commit to 2.1.0 like this commit 97990c5
(and don't forget the xiloader.rc like I did for 2.0.0)
9001-Sols
force-pushed
the
9001/trust-tokens
branch
2 times, most recently
from
27b7d59 to
e66697f
Compare
9001-Sols
changed the title
9001-Sols
force-pushed
the
9001/trust-tokens
branch
from
e66697f to
96d1302
Compare
9001-Sols
force-pushed
the
9001/trust-tokens
branch
from
96d1302 to
c755767
Compare
WinterSolstice8
approved these changes
Feb 11, 2026
Contributor
|
I have pulled this down and tested it, it works as advertised (even on linux) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds client-side support for the server's 2FA trust token feature. When a user checks "Trust this computer" during login with a valid OTP, the server issues a 30-day trust token. On subsequent logins, the token is sent automatically so the user can skip OTP entry.
Changes
trust_token.cpp/h): Load, save, and remove tokens per server+username pair. Tokens are stored DPAPI-encrypted in%APPDATA%\xiloader\trust_tokens.dat.network.cpp,command_handler.h): Send trust_token and trust_this_computer fields with login requests. On successful login, save any server-issued token. On TOTP removal, clear the local token.menus.h): Login form reactively checks for a saved trust token as the user types their username. When trusted: shows green "Computer is trusted" text, marks OTP as optional, hides the trust checkbox, and lets Enter on password submit directly.menus.h,network.cpp): New "Revoke Computer Trust" option in the 2FA submenu to delete a saved token locally.main.cpp): New--trustCLI arg and trust_this_computer JSON config option.main.cpp): Fix polcorecmd construction - was doing pointer arithmetic (const char*+uint16_t) instead of string concatenation since the JSON rewrite changed port types fromstd::stringtouint16_t.Test plan
"Trust this computer"checked - confirm token saved, "trusted" message shown--user/--pass) with saved trust token - confirm token sent automaticallyDependencies
LandSandBoat/server#9418
New [ ] Trust this computer option
Successful login with Trust this computer checked (specifies how long it is trusted for, server driven, falls back to 30 days)
Example of a trusted computer (Dynamically updates when username changes)
Bogus Token Auto Revoke
Revoke Trust option