baltica 0.1.20 → 0.1.23

package/README.md

@@ -51,29 +51,57 @@ const client = new Client({
   port: 19132,
 });
 
-// Connect and get server info
 await client.connect();
+```
+
+### Email/Password Authentication
+
+You can authenticate directly with your Microsoft account using email and password:
 
-// Listen for chat messages
-client.on("TextPacket", (packet) => {
-  console.log(`Got message: ${packet.message}`);
+```typescript
+const client = new Client({
+  address: "play.server.com",
+  port: 19132,
+  email: "your-email@outlook.com",
+  password: "your-password",
 });
 
-// Send a friendly greeting when connected
-client.on("connect", () => {
-  const packet = new TextPacket();
-   packet.message = 'Hey everyone! 👋';
-   packet.needsTranslation = false;
-   packet.parameters = [];
-   packet.platformChatId = '';
-   packet.source = client.username;
-   packet.type = TextPacketType.Chat;
-   packet.xuid = client.profile.xuid.toString();
-   packet.filtered = '';
-  client.send(packet.serialize());
+await client.connect();
+```
+
+**Important Notes:**
+- This method only works with accounts that have 2FA (Two-Factor Authentication) **disabled**
+- The account must have an Xbox profile and own Minecraft Bedrock Edition or launched minecraft at least once.
+- User tokens are cached for ~14 days to minimize login requests (BETA)
+- Tokens are stored in the `tokens` folder by default
+
+### Using a Proxy
+
+Baltica supports SOCKS5 proxies for client connections:
+
+```typescript
+const client = new Client({
+  address: "play.server.com",
+  port: 19132,
+  email: "your-email@outlook.com",
+  password: "your-password",
+  proxy: {
+    host: "proxy.example.com",
+    port: 1080,
+    userId: "proxy-username",    // Optional
+    password: "proxy-password",  // Optional
+  },
+  skinFile: `./skins/skin.png`, // If you want to load a skin from a png file
 });
+
+await client.connect();
 ```
 
+This is useful for:
+- Bypassing IP restrictions
+- Testing from different geographic locations
+- Managing multiple bot connections
+
 ### Server Usage
 
 Want to create your own Minecraft server? We got you:

package/dist/client/client.js

@@ -57,6 +57,8 @@ class Client extends shared_1.Emitter {
         this.packetCompressor = new shared_1.PacketCompressor(this);
         this.handleGamePackets();
         this.raknet.on("encapsulated", this.handleEncapsulated.bind(this));
+        // Wait for authentication to complete before sending network settings request
+        await this.waitForSessionReady();
         const request = new protocol_1.RequestNetworkSettingsPacket();
         request.protocol = types_1.ProtocolList[types_1.CurrentVersionConst];
         this.send(request);

package/dist/client/index.d.ts

@@ -1,3 +1,4 @@
 export * from "./worker";
 export * from "./types";
 export * from "./client";
+export * from "./skin-loader";

package/dist/client/index.js

@@ -17,3 +17,4 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./worker"), exports);
 __exportStar(require("./types"), exports);
 __exportStar(require("./client"), exports);
+__exportStar(require("./skin-loader"), exports);

package/dist/client/skin-loader.d.ts

@@ -0,0 +1,38 @@
+import type { SkinData } from "./types/payload";
+/**
+ * Load a Minecraft Bedrock skin from a PNG file
+ * @param pngPath - Path to the PNG skin file (64x64 or 64x32)
+ * @returns SkinData object ready to use in client options
+ *
+ * @example
+ * ```typescript
+ * import { Client, loadSkinFromPNG } from 'baltica';
+ *
+ * const client = new Client({
+ *     address: "play.example.com",
+ *     port: 19132,
+ *     skinData: loadSkinFromPNG('./my-skin.png')
+ * });
+ * ```
+ */
+export declare function loadSkinFromPNG(pngPath: string): SkinData;
+/**
+ * Load a Minecraft Bedrock skin from raw RGBA buffer
+ * @param buffer - Raw RGBA pixel data buffer
+ * @param width - Skin width (typically 64)
+ * @param height - Skin height (typically 64 or 32)
+ * @returns SkinData object ready to use in client options
+ *
+ * @example
+ * ```typescript
+ * import { Client, loadSkinFromBuffer } from 'baltica';
+ *
+ * const rgbaBuffer = Buffer.from([...]); // Your RGBA data
+ * const client = new Client({
+ *     address: "play.example.com",
+ *     port: 19132,
+ *     skinData: loadSkinFromBuffer(rgbaBuffer, 64, 64)
+ * });
+ * ```
+ */
+export declare function loadSkinFromBuffer(buffer: Buffer, width: number, height: number): SkinData;

package/dist/client/skin-loader.js

@@ -0,0 +1,156 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadSkinFromPNG = loadSkinFromPNG;
+exports.loadSkinFromBuffer = loadSkinFromBuffer;
+const fs = __importStar(require("node:fs"));
+const pngjs_1 = require("pngjs");
+/**
+ * Load a Minecraft Bedrock skin from a PNG file
+ * @param pngPath - Path to the PNG skin file (64x64 or 64x32)
+ * @returns SkinData object ready to use in client options
+ *
+ * @example
+ * ```typescript
+ * import { Client, loadSkinFromPNG } from 'baltica';
+ *
+ * const client = new Client({
+ *     address: "play.example.com",
+ *     port: 19132,
+ *     skinData: loadSkinFromPNG('./my-skin.png')
+ * });
+ * ```
+ */
+function loadSkinFromPNG(pngPath) {
+    // Read and parse PNG file
+    const pngData = fs.readFileSync(pngPath);
+    const png = pngjs_1.PNG.sync.read(pngData);
+    // Validate dimensions
+    if (png.width !== 64 || (png.height !== 64 && png.height !== 32)) {
+        throw new Error(`Invalid skin dimensions: ${png.width}x${png.height}. Expected 64x64 or 64x32`);
+    }
+    // Convert RGBA pixel data to base64
+    const base64Skin = png.data.toString("base64");
+    // Create skin resource patch for standard humanoid model
+    const resourcePatch = {
+        geometry: {
+            default: "geometry.humanoid.custom",
+        },
+    };
+    return {
+        AnimatedImageData: [],
+        ArmSize: "wide",
+        CapeData: "",
+        CapeId: "",
+        CapeImageHeight: 0,
+        CapeImageWidth: 0,
+        CapeOnClassicSkin: false,
+        PersonaPieces: [],
+        PersonaSkin: false,
+        PieceTintColors: [],
+        PremiumSkin: false,
+        SkinAnimationData: "",
+        SkinColor: "#0",
+        SkinData: base64Skin,
+        SkinGeometryData: "",
+        SkinGeometryDataEngineVersion: "",
+        SkinId: `custom_skin_${Date.now()}`,
+        SkinImageHeight: png.height,
+        SkinImageWidth: png.width,
+        SkinResourcePatch: Buffer.from(JSON.stringify(resourcePatch)).toString("base64"),
+        TrustedSkin: true,
+    };
+}
+/**
+ * Load a Minecraft Bedrock skin from raw RGBA buffer
+ * @param buffer - Raw RGBA pixel data buffer
+ * @param width - Skin width (typically 64)
+ * @param height - Skin height (typically 64 or 32)
+ * @returns SkinData object ready to use in client options
+ *
+ * @example
+ * ```typescript
+ * import { Client, loadSkinFromBuffer } from 'baltica';
+ *
+ * const rgbaBuffer = Buffer.from([...]); // Your RGBA data
+ * const client = new Client({
+ *     address: "play.example.com",
+ *     port: 19132,
+ *     skinData: loadSkinFromBuffer(rgbaBuffer, 64, 64)
+ * });
+ * ```
+ */
+function loadSkinFromBuffer(buffer, width, height) {
+    // Validate dimensions
+    if (width !== 64 || (height !== 64 && height !== 32)) {
+        throw new Error(`Invalid skin dimensions: ${width}x${height}. Expected 64x64 or 64x32`);
+    }
+    // Validate buffer size (RGBA = 4 bytes per pixel)
+    const expectedSize = width * height * 4;
+    if (buffer.length !== expectedSize) {
+        throw new Error(`Invalid buffer size: ${buffer.length} bytes. Expected ${expectedSize} bytes for ${width}x${height} RGBA`);
+    }
+    // Convert to base64
+    const base64Skin = buffer.toString("base64");
+    // Create skin resource patch
+    const resourcePatch = {
+        geometry: {
+            default: "geometry.humanoid.custom",
+        },
+    };
+    return {
+        AnimatedImageData: [],
+        ArmSize: "wide",
+        CapeData: "",
+        CapeId: "",
+        CapeImageHeight: 0,
+        CapeImageWidth: 0,
+        CapeOnClassicSkin: false,
+        PersonaPieces: [],
+        PersonaSkin: false,
+        PieceTintColors: [],
+        PremiumSkin: false,
+        SkinAnimationData: "",
+        SkinColor: "#0",
+        SkinData: base64Skin,
+        SkinGeometryData: "",
+        SkinGeometryDataEngineVersion: "",
+        SkinId: `custom_skin_${Date.now()}`,
+        SkinImageHeight: height,
+        SkinImageWidth: width,
+        SkinResourcePatch: Buffer.from(JSON.stringify(resourcePatch)).toString("base64"),
+        TrustedSkin: true,
+    };
+}

package/dist/client/types/client-data.js

@@ -42,6 +42,7 @@ const uuid_1345_1 = require("uuid-1345");
 const __1 = require("../");
 const types_1 = require("../../shared/types");
 const login_data_1 = require("./login-data");
+const skin_loader_1 = require("../skin-loader");
 const PUBLIC_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAECRXueJeTDqNRRgJi/vlRufByu/2G0i2Ebt6YMar5QX/R0DIIyrJMcUpruK4QveTfJSTp3Shlq4Gk34cD/4GUWwkv0DVuzeuB+tXija7HBxii03NHDbPAD0AKnLr2wdAp";
 const algorithm = "ES384";
 class ClientData {
@@ -52,6 +53,10 @@ class ClientData {
         this.client = client;
         this.payload = (0, __1.createDefaultPayload)(client);
         this.loginData = (0, login_data_1.prepareLoginData)();
+        // Load skin from file if skinFile is provided
+        if (client.options.skinFile && !client.options.skinData) {
+            client.options.skinData = (0, skin_loader_1.loadSkinFromPNG)(client.options.skinFile);
+        }
     }
     createLoginPacket() {
         const loginPacket = new protocol_1.LoginPacket();
@@ -68,7 +73,7 @@ class ClientData {
         return loginPacket;
     }
     async createClientChain(mojangKey, offline) {
-        const { clientX509, ecdhKeyPair } = this.loginData;
+        const { clientX509, ecdhKeyPair, sessionTokenData } = this.loginData;
         let payload;
         let header;
         if (offline) {
@@ -96,6 +101,19 @@ class ClientData {
                 identityPublicKey: mojangKey || PUBLIC_KEY,
                 certificateAuthority: true,
             };
+            // Add session token data for PocketMine 1.21.100+ compatibility
+            if (sessionTokenData) {
+                payload.ipt = sessionTokenData.ipt;
+                payload.tid = sessionTokenData.tid;
+                payload.mid = sessionTokenData.mid;
+                payload.xid = sessionTokenData.xid;
+                payload.cpk = sessionTokenData.cpk;
+                payload.xname = this.client.profile.name;
+            }
+            // Add pfcd if available (PlayFab ID)
+            if (this.payload.pfcd) {
+                payload.pfcd = this.payload.pfcd;
+            }
             header = {
                 alg: algorithm,
                 x5u: clientX509,

package/dist/client/types/client-options.d.ts

@@ -33,6 +33,8 @@ export type ClientOptions = {
     tokensFolder: string;
     /** Skin Data for custom skins (By default we parse it from json)*/
     skinData: SkinData | undefined;
+    /** Path to PNG skin file (alternative to skinData) */
+    skinFile: string | undefined;
     /** LoginPacket data Customization */
     loginOptions: LoginPacketOptions;
     /** The View Distance of the client.  */

package/dist/client/types/client-options.js

@@ -18,6 +18,8 @@ exports.defaultClientOptions = {
     tokensFolder: "tokens",
     /** Default Value: undefined */
     skinData: undefined,
+    /** Default Value: undefined */
+    skinFile: undefined,
     loginOptions: {
         /** Default Value: Unknown */
         currentInputMode: protocol_1.InputMode.Unknown,

package/dist/client/types/login-data.d.ts

@@ -6,6 +6,13 @@ type LoginData = {
     clientX509: string;
     clientIdentityChain: string;
     clientUserChain: string;
+    sessionTokenData?: {
+        ipt: string;
+        tid: string;
+        mid: string;
+        xid: string;
+        cpk: string;
+    };
 };
 export declare const prepareLoginData: () => LoginData;
 export type { LoginData };

package/dist/client/types/payload.d.ts

@@ -29,6 +29,7 @@ export type Payload = {
     PlatformOnlineId: string;
     PlatformType: number;
     PlayFabId: string;
+    pfcd?: string;
     PremiumSkin: boolean;
     SelfSignedId: string;
     ServerAddress: string;

package/dist/client/worker/worker-client.js

@@ -6,7 +6,7 @@ const worker_1 = require("./worker");
 class WorkerClient extends raknet_1.EventEmitter {
     constructor(options) {
         super();
-        this._options = { ...raknet_1.defaultClientOptions, ...options };
+        this._options = { ...(0, raknet_1.createDefaultClientOptions)(), ...options };
         this._worker = (0, worker_1.connect)(this._options);
         this.handleEvents();
     }

package/dist/shared/auth/authentication.d.ts

@@ -1,21 +1,43 @@
-import { live, xnet } from "@xboxreplay/xboxlive-auth";
-import type { AuthenticateResponse, Email } from "@xboxreplay/xboxlive-auth";
+/**
+ * Xbox Live Authentication Module
+ *
+ * Based on the authentication flow from @xboxreplay/xboxlive-auth
+ * https://github.com/XboxReplay/xboxlive-auth
+ *
+ * Modified to support SOCKS5 proxies for all HTTP requests and Minecraft Authentication
+ */
 export interface BedrockTokens {
     chains: string[];
     xuid: string;
     gamertag: string;
     userHash: string;
+    xstsToken: string;
+    playfabXstsToken: string;
+    playfabUserHash: string;
+}
+export interface ProxyOptions {
+    host: string;
+    port: number;
+    userId?: string;
+    password?: string;
 }
 export interface AuthOptions {
     email: string;
     password: string;
     clientPublicKey: string;
     cacheDir?: string;
+    proxy?: ProxyOptions;
 }
 /**
  * Authenticates with Xbox Live using email/password and obtains Minecraft Bedrock tokens
- * Caches Xbox user token (~14 days valid) to minimize login requests
+ * Supports SOCKS5 proxy for all authentication requests
  */
 export declare function authenticateWithCredentials(options: AuthOptions): Promise<BedrockTokens>;
-export { live, xnet };
-export type { AuthenticateResponse, Email };
+export type Email = string;
+export interface AuthenticateResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+    user_id: string;
+}

package/dist/shared/auth/authentication.js

@@ -1,4 +1,12 @@
 "use strict";
+/**
+ * Xbox Live Authentication Module
+ *
+ * Based on the authentication flow from @xboxreplay/xboxlive-auth
+ * https://github.com/XboxReplay/xboxlive-auth
+ *
+ * Modified to support SOCKS5 proxies for all HTTP requests and Minecraft Authentication
+ */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -33,15 +41,15 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.xnet = exports.live = void 0;
 exports.authenticateWithCredentials = authenticateWithCredentials;
-const xboxlive_auth_1 = require("@xboxreplay/xboxlive-auth");
-Object.defineProperty(exports, "live", { enumerable: true, get: function () { return xboxlive_auth_1.live; } });
-Object.defineProperty(exports, "xnet", { enumerable: true, get: function () { return xboxlive_auth_1.xnet; } });
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const raknet_1 = require("@sanctumterra/raknet");
+const fetch_socks_1 = require("fetch-socks");
+const undici_1 = require("undici");
 const MINECRAFT_BEDROCK_RELYING_PARTY = "https://multiplayer.minecraft.net/";
+const PLAYFAB_RELYING_PARTY = "https://b980a380.minecraft.playfabapi.com/";
+const XBOX_AUTH_CLIENT_ID = "00000000441cc96b";
 function hashString(str) {
     let hash = 0;
     for (let i = 0; i < str.length; i++) {
@@ -63,7 +71,6 @@ function loadCache(cacheFile) {
     try {
         if (fs.existsSync(cacheFile)) {
             const cached = JSON.parse(fs.readFileSync(cacheFile, "utf-8"));
-            // Check if token is still valid (with 1 hour buffer)
             const expiresAt = new Date(cached.notAfter).getTime();
             if (Date.now() < expiresAt - 3600000) {
                 return cached;
@@ -91,16 +98,47 @@ function saveCache(cacheFile, userToken, userHash, notAfter) {
         /* ignore */
     }
 }
+function createProxiedFetch(proxy) {
+    if (!proxy) {
+        return fetch;
+    }
+    const dispatcher = (0, fetch_socks_1.socksDispatcher)({
+        type: 5,
+        host: proxy.host,
+        port: proxy.port,
+        userId: proxy.userId,
+        password: proxy.password,
+    });
+    return async (input, init) => {
+        const url = typeof input === "string" ? input : input.toString();
+        const response = await (0, undici_1.fetch)(url, {
+            ...init,
+            dispatcher,
+        });
+        return response;
+    };
+}
 /**
  * Authenticates with Xbox Live using email/password and obtains Minecraft Bedrock tokens
- * Caches Xbox user token (~14 days valid) to minimize login requests
+ * Supports SOCKS5 proxy for all authentication requests
  */
 async function authenticateWithCredentials(options) {
-    const { email, password, clientPublicKey, cacheDir } = options;
+    const { email, password, clientPublicKey, cacheDir, proxy } = options;
     const cacheFile = cacheDir ? getCacheFile(cacheDir, email) : null;
+    const proxiedFetch = createProxiedFetch(proxy);
+    // Verify proxy is working by checking our IP
+    if (proxy) {
+        try {
+            const ipResp = await proxiedFetch("https://api.ipify.org?format=json");
+            const ipData = (await ipResp.json());
+            raknet_1.Logger.info(`Proxy IP verified: ${ipData.ip}`);
+        }
+        catch (e) {
+            raknet_1.Logger.warn(`Could not verify proxy IP: ${e instanceof Error ? e.message : String(e)}`);
+        }
+    }
     let userToken;
     let userHash;
-    // Try to use cached user token first
     const cached = cacheFile ? loadCache(cacheFile) : null;
     if (cached) {
         raknet_1.Logger.info("Using cached Xbox user token...");
@@ -108,49 +146,250 @@ async function authenticateWithCredentials(options) {
         userHash = cached.userHash;
     }
     else {
-        // Fresh login required
-        raknet_1.Logger.info("Authenticating with Xbox Live...");
-        const accessToken = await freshLogin(email, password);
-        // Exchange for Xbox user token (valid ~14 days)
-        const userTokenResp = await xboxlive_auth_1.xnet.exchangeRpsTicketForUserToken(accessToken, "t");
+        raknet_1.Logger.info(`Authenticating with Xbox Live...${proxy ? ` (via proxy ${proxy.host}:${proxy.port})` : ""}`);
+        const accessToken = await getMicrosoftAccessToken(email, password, proxiedFetch);
+        const userTokenResp = await exchangeRpsTicketForUserToken(accessToken, proxiedFetch);
         userToken = userTokenResp.Token;
         userHash = userTokenResp.DisplayClaims.xui[0].uhs;
-        // Cache the user token
         if (cacheFile) {
             saveCache(cacheFile, userToken, userHash, userTokenResp.NotAfter);
         }
     }
-    // Get XSTS token for Minecraft Bedrock (short-lived, always fetch fresh)
-    const xstsResp = await xboxlive_auth_1.xnet.exchangeTokenForXSTSToken(userToken, {
-        XSTSRelyingParty: MINECRAFT_BEDROCK_RELYING_PARTY,
-        sandboxId: "RETAIL",
-    });
+    // Get XSTS token for Minecraft Bedrock
+    const xstsResp = await exchangeTokenForXSTSToken(userToken, MINECRAFT_BEDROCK_RELYING_PARTY, proxiedFetch);
     const xuid = xstsResp.DisplayClaims.xui[0].xid || "";
-    // Get Minecraft Bedrock chains
-    const chains = await getMinecraftBedrockChains(xstsResp.Token, userHash, clientPublicKey);
+    // Get XSTS token for Playfab (needed for session token)
+    const playfabXstsResp = await exchangeTokenForXSTSToken(userToken, PLAYFAB_RELYING_PARTY, proxiedFetch);
+    const chains = await getMinecraftBedrockChains(xstsResp.Token, userHash, clientPublicKey, proxiedFetch);
     const gamertag = extractGamertagFromChains(chains);
     raknet_1.Logger.info(`Authenticated as: ${gamertag} (${xuid})`);
-    return { chains, xuid, gamertag, userHash };
+    return {
+        chains,
+        xuid,
+        gamertag,
+        userHash,
+        xstsToken: xstsResp.Token,
+        playfabXstsToken: playfabXstsResp.Token,
+        playfabUserHash: playfabXstsResp.DisplayClaims.xui[0].uhs,
+    };
 }
-async function freshLogin(email, password) {
-    try {
-        const liveToken = await xboxlive_auth_1.live.authenticateWithCredentials({
-            email: email,
-            password,
+/**
+ * Get Microsoft access token using email/password via OAuth flow
+ * This implements the full browser-like login flow
+ */
+async function getMicrosoftAccessToken(email, password, proxiedFetch) {
+    const authUrl = "https://login.live.com/oauth20_authorize.srf";
+    const params = new URLSearchParams({
+        client_id: XBOX_AUTH_CLIENT_ID,
+        redirect_uri: "https://login.live.com/oauth20_desktop.srf",
+        response_type: "token",
+        scope: "service::user.auth.xboxlive.com::MBI_SSL",
+        display: "touch",
+        locale: "en",
+    });
+    const preAuthResp = await proxiedFetch(`${authUrl}?${params}`, {
+        headers: {
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+            Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
+            "Accept-Language": "en-US,en;q=0.5",
+        },
+    });
+    if (!preAuthResp.ok) {
+        throw new Error(`Pre-auth request failed: ${preAuthResp.status}`);
+    }
+    const preAuthHtml = await preAuthResp.text();
+    const cookies = extractCookies(preAuthResp.headers);
+    const { ppft, urlPost } = extractLoginParams(preAuthHtml);
+    const loginBody = new URLSearchParams({
+        login: email,
+        loginfmt: email,
+        passwd: password,
+        PPFT: ppft,
+        PPSX: "Passpor",
+        NewUser: "1",
+        FoundMSAs: "",
+        fspost: "0",
+        i21: "0",
+        CookieDisclosure: "0",
+        IsFidoSupported: "1",
+        isSignupPost: "0",
+        isRecoveryAttemptPost: "0",
+        i13: "0",
+        i19: Math.floor(Math.random() * 100000).toString(),
+    });
+    const loginResp = await proxiedFetch(urlPost, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+            Cookie: cookies,
+            Referer: `${authUrl}?${params}`,
+            Origin: "https://login.live.com",
+        },
+        body: loginBody.toString(),
+        redirect: "manual",
+    });
+    // Check for access token in redirect
+    let location = loginResp.headers.get("location") || "";
+    // Follow redirects manually to find the access token
+    let attempts = 0;
+    while (attempts < 5 && !location.includes("access_token=")) {
+        if (!location) {
+            // Check if we got an error page
+            const responseText = await loginResp.text();
+            if (responseText.includes("sErrTxt") ||
+                responseText.includes("Your account or password is incorrect")) {
+                throw new Error("Invalid credentials");
+            }
+            if (responseText.includes("Sign in a different way") ||
+                responseText.includes("idA_PWD_SwitchToCredPicker")) {
+                throw new Error("2FA is enabled on this account. Direct login requires 2FA to be disabled.");
+            }
+            // Try to extract access token from response body (some flows embed it)
+            const tokenMatch = responseText.match(/access_token=([^&"']+)/);
+            if (tokenMatch) {
+                return decodeURIComponent(tokenMatch[1]);
+            }
+            throw new Error("Failed to get redirect URL from login response");
+        }
+        if (location.includes("access_token=")) {
+            break;
+        }
+        const redirectResp = await proxiedFetch(location, {
+            headers: {
+                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+                Cookie: cookies,
+            },
+            redirect: "manual",
         });
-        return liveToken.access_token;
+        location = redirectResp.headers.get("location") || "";
+        attempts++;
     }
-    catch (error) {
-        const err = error;
-        if (err.attributes?.code === "INVALID_CREDENTIALS_OR_2FA_ENABLED") {
-            throw new Error("Authentication failed: Invalid credentials or 2FA is enabled.\n" +
-                "Direct email/password login only works with 2FA DISABLED.");
+    // Extract access token from URL fragment
+    const tokenMatch = location.match(/access_token=([^&]+)/);
+    if (tokenMatch) {
+        return decodeURIComponent(tokenMatch[1]);
+    }
+    throw new Error("Failed to obtain access token from Microsoft");
+}
+function extractCookies(headers) {
+    const setCookies = headers.get("set-cookie");
+    if (!setCookies)
+        return "";
+    // Parse and combine cookies
+    const cookies = [];
+    const cookieStrings = setCookies.split(/,(?=[^;]*=)/);
+    for (const cookieStr of cookieStrings) {
+        const match = cookieStr.match(/^([^=]+)=([^;]*)/);
+        if (match) {
+            cookies.push(`${match[1].trim()}=${match[2]}`);
         }
-        throw error;
     }
+    return cookies.join("; ");
 }
-async function getMinecraftBedrockChains(xstsToken, userHash, clientPublicKey) {
-    const response = await fetch("https://multiplayer.minecraft.net/authentication", {
+function extractLoginParams(html) {
+    let ppft = null;
+    // Pattern for sFTTag with escaped quotes (JSON format)
+    const sFTTagMatch = html.match(/sFTTag":"<input[^>]*value=\\"([^"\\]+)\\"/);
+    if (sFTTagMatch) {
+        ppft = sFTTagMatch[1];
+    }
+    // Fallback patterns
+    if (!ppft) {
+        const ppftPatterns = [
+            /sFTTag:'[^']*value="([^"]+)"/,
+            /name="PPFT"[^>]*value="([^"]+)"/,
+            /value="([^"]+)"[^>]*name="PPFT"/,
+            /<input[^>]*name="PPFT"[^>]*value="([^"]+)"/,
+            /"sFT"\s*:\s*"([^"]+)"/,
+            /sFT:'([^']+)'/,
+            /"sFT":"([^"]+)"/,
+        ];
+        for (const pattern of ppftPatterns) {
+            const match = html.match(pattern);
+            if (match) {
+                ppft = match[1];
+                break;
+            }
+        }
+    }
+    if (!ppft) {
+        throw new Error("Failed to extract PPFT token from login page");
+    }
+    // Extract urlPost
+    const urlPostPatterns = [
+        /urlPost:\s*'([^']+)'/,
+        /urlPost:\s*"([^"]+)"/,
+        /"urlPost"\s*:\s*"([^"]+)"/,
+    ];
+    let urlPost = "https://login.live.com/ppsecure/post.srf";
+    for (const pattern of urlPostPatterns) {
+        const match = html.match(pattern);
+        if (match) {
+            urlPost = match[1];
+            break;
+        }
+    }
+    return { ppft, urlPost };
+}
+/**
+ * Exchange Microsoft access token for Xbox User Token
+ */
+async function exchangeRpsTicketForUserToken(accessToken, proxiedFetch) {
+    const response = await proxiedFetch("https://user.auth.xboxlive.com/user/authenticate", {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            "x-xbl-contract-version": "1",
+        },
+        body: JSON.stringify({
+            RelyingParty: "http://auth.xboxlive.com",
+            TokenType: "JWT",
+            Properties: {
+                AuthMethod: "RPS",
+                SiteName: "user.auth.xboxlive.com",
+                RpsTicket: `t=${accessToken}`,
+            },
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Xbox user token exchange failed: ${response.status} - ${text}`);
+    }
+    return response.json();
+}
+/**
+ * Exchange Xbox User Token for XSTS Token
+ */
+async function exchangeTokenForXSTSToken(userToken, relyingParty, proxiedFetch) {
+    const response = await proxiedFetch("https://xsts.auth.xboxlive.com/xsts/authorize", {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            "x-xbl-contract-version": "1",
+        },
+        body: JSON.stringify({
+            RelyingParty: relyingParty,
+            TokenType: "JWT",
+            Properties: {
+                SandboxId: "RETAIL",
+                UserTokens: [userToken],
+            },
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Xbox XSTS token exchange failed: ${response.status} - ${text}`);
+    }
+    return response.json();
+}
+/**
+ * Get Minecraft Bedrock authentication chains
+ */
+async function getMinecraftBedrockChains(xstsToken, userHash, clientPublicKey, proxiedFetch) {
+    const response = await proxiedFetch("https://multiplayer.minecraft.net/authentication", {
         method: "POST",
         headers: {
             "Content-Type": "application/json",
@@ -162,11 +401,8 @@ async function getMinecraftBedrockChains(xstsToken, userHash, clientPublicKey) {
     if (!response.ok) {
         const text = await response.text();
         if (response.status === 401) {
-            throw new Error("Minecraft Bedrock authentication failed (401 UNAUTHORIZED).\n" +
-                "This usually means:\n" +
-                "  1. The account does not have an Xbox profile (create one at xbox.com)\n" +
-                "  2. The account does not own Minecraft Bedrock Edition\n" +
-                "  3. The account needs to accept Xbox/Minecraft terms of service");
+            throw new Error("Minecraft Bedrock authentication failed (401).\n" +
+                "The account may not have an Xbox profile or Minecraft Bedrock Edition.");
         }
         throw new Error(`Minecraft Bedrock auth failed: ${response.status} - ${text}`);
     }

package/dist/shared/auth.js

@@ -107,12 +107,42 @@ async function authenticateWithEmailPassword(client) {
             password: client.options.password,
             clientPublicKey: client.data.loginData.clientX509,
             cacheDir: client.options.tokensFolder,
+            proxy: client.options.proxy,
         });
         const profile = {
             name: tokens.gamertag,
             uuid: generateUUID(tokens.gamertag),
             xuid: Number(tokens.xuid) || 0,
         };
+        // Get Playfab session ticket
+        const playfabData = await getPlayfabSessionTicket(tokens.playfabUserHash, tokens.playfabXstsToken);
+        // Get the multiplayer session token
+        // First get the MC services token (mcToken)
+        const mcToken = await getMinecraftServicesTokenFromPlayfab(playfabData.sessionTicket);
+        // Then use mcToken to get the multiplayer session token
+        const sessionToken = await getMultiplayerSessionTokenFromMcToken(mcToken, client.data.loginData.clientX509);
+        client.data.loginToken = sessionToken;
+        // Extract pfcd from session token and store it
+        try {
+            const tokenParts = sessionToken.split(".");
+            if (tokenParts.length >= 2) {
+                const payload = JSON.parse(Buffer.from(tokenParts[1], "base64").toString());
+                if (payload.pfcd) {
+                    client.data.payload.pfcd = payload.pfcd;
+                }
+                // Store session token data for client chain
+                client.data.loginData.sessionTokenData = {
+                    ipt: payload.ipt,
+                    tid: payload.prop ? JSON.parse(payload.prop).tid : undefined,
+                    mid: payload.prop ? JSON.parse(payload.prop).mid : undefined,
+                    xid: payload.xid,
+                    cpk: payload.cpk,
+                };
+            }
+        }
+        catch (e) {
+            raknet_1.Logger.warn(`Failed to extract pfcd from session token: ${e instanceof Error ? e.message : String(e)}`);
+        }
         const endTime = Date.now();
         raknet_1.Logger.info(`Authentication with Xbox (email/password) took ${(endTime - startTime) / 1000}s.`);
         setupClientProfile(client, profile, tokens.chains);
@@ -154,6 +184,144 @@ async function getMultiplayerSessionToken(authflow, client) {
         throw error;
     }
 }
+async function getPlayfabSessionTicket(playfabUserHash, playfabXstsToken) {
+    try {
+        const response = await fetch("https://20ca2.playfabapi.com/Client/LoginWithXbox", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                CreateAccount: true,
+                EncryptedRequest: null,
+                InfoRequestParameters: {
+                    GetCharacterInventories: false,
+                    GetCharacterList: false,
+                    GetPlayerProfile: true,
+                    GetPlayerStatistics: false,
+                    GetTitleData: false,
+                    GetUserAccountInfo: true,
+                    GetUserData: false,
+                    GetUserInventory: false,
+                    GetUserReadOnlyData: false,
+                    GetUserVirtualCurrency: false,
+                    PlayerStatisticNames: null,
+                    ProfileConstraints: null,
+                    TitleDataKeys: null,
+                    UserDataKeys: null,
+                    UserReadOnlyDataKeys: null,
+                },
+                PlayerSecret: null,
+                TitleId: "20CA2",
+                XboxToken: `XBL3.0 x=${playfabUserHash};${playfabXstsToken}`,
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Playfab login failed: ${response.status} ${response.statusText} - ${text}`);
+        }
+        const json = (await response.json());
+        return {
+            sessionTicket: json.data.SessionTicket,
+            playFabId: json.data.PlayFabId,
+        };
+    }
+    catch (error) {
+        raknet_1.Logger.error(`Error while getting Playfab session ticket: ${error instanceof Error ? error.message : String(error)}`);
+        throw error;
+    }
+}
+async function getMinecraftServicesTokenFromPlayfab(sessionTicket) {
+    try {
+        const response = await fetch("https://authorization.franchise.minecraft-services.net/api/v1.0/session/start", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                device: {
+                    applicationType: "MinecraftPE",
+                    gameVersion: "1.21.130",
+                    id: "c1681ad3-415e-30cd-abd3-3b8f51e771d1",
+                    memory: String(8 * (1024 * 1024 * 1024)),
+                    platform: "Windows10",
+                    playFabTitleId: "20CA2",
+                    storePlatform: "uwp.store",
+                    type: "Windows10",
+                },
+                user: {
+                    token: sessionTicket,
+                    tokenType: "PlayFab",
+                },
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`MC services token failed: ${response.status} ${response.statusText} - ${text}`);
+        }
+        const json = (await response.json());
+        return json.result.authorizationHeader;
+    }
+    catch (error) {
+        raknet_1.Logger.error(`Error while getting MC services token: ${error instanceof Error ? error.message : String(error)}`);
+        throw error;
+    }
+}
+async function getMultiplayerSessionTokenFromMcToken(mcToken, publicKey) {
+    try {
+        const response = await fetch("https://authorization.franchise.minecraft-services.net/api/v1.0/multiplayer/session/start", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: mcToken,
+                "Accept-Encoding": "identity",
+            },
+            body: JSON.stringify({
+                publicKey: publicKey,
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Multiplayer session start failed: ${response.status} ${response.statusText} - ${text}`);
+        }
+        const json = (await response.json());
+        return json.result.signedToken;
+    }
+    catch (error) {
+        raknet_1.Logger.error(`Error while getting Multiplayer Session Token: ${error instanceof Error ? error.message : String(error)}`);
+        throw error;
+    }
+}
+async function getMultiplayerSessionTokenFromXsts(sessionTicket, publicKey) {
+    try {
+        const response = await fetch("https://authorization.franchise.minecraft-services.net/api/v1.0/session/start", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                device: {
+                    applicationType: "MinecraftPE",
+                    gameVersion: "1.21.130",
+                    id: "c1681ad3-415e-30cd-abd3-3b8f51e771d1",
+                    memory: String(8 * (1024 * 1024 * 1024)),
+                    platform: "Windows10",
+                    playFabTitleId: "20CA2",
+                    storePlatform: "uwp.store",
+                    type: "Windows10",
+                },
+                user: {
+                    token: sessionTicket,
+                    tokenType: "PlayFab",
+                },
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`Multiplayer session start failed: ${response.status} ${response.statusText} - ${text}`);
+        }
+        const json = (await response.json());
+        return json.result.authorizationHeader;
+    }
+    catch (error) {
+        raknet_1.Logger.error(`Error while getting Multiplayer Session Token: ${error instanceof Error ? error.message : String(error)}`);
+        throw error;
+    }
+}
 function extractProfile(jwt) {
     if (!jwt) {
         raknet_1.Logger.error("JWT is undefined or empty");

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "baltica",
   "description": "Library for Minecraft Bedrock Edition community developers.",
-  "version": "0.1.20",
+  "version": "0.1.23",
   "minecraft": "1.21.130",
   "main": "dist/index.js",
   "license": "MIT",
@@ -21,18 +21,21 @@
     }
   ],
   "dependencies": {
-    "@sanctumterra/raknet": "^1.4.8",
+    "@sanctumterra/raknet": "^1.4.11",
     "@serenityjs/binarystream": "^3.0.10",
     "@serenityjs/protocol": "^0.8.17",
-    "@xboxreplay/xboxlive-auth": "^5.1.0",
+    "fetch-socks": "^1.3.2",
     "jose": "^5.10.0",
     "prismarine-auth": "^2.7.0",
+    "undici": "^7.18.2",
     "uuid-1345": "^1.0.2"
   },
   "devDependencies": {
     "@biomejs/biome": "1.9.4",
-    "@types/node": "^22.19.6",
+    "@types/node": "^22.19.7",
+    "@types/pngjs": "^6.0.5",
     "@types/uuid-1345": "^0.99.25",
+    "pngjs": "^7.0.0",
     "typescript": "^5.9.3"
   }
-}
+}