Merge pull request #46586 from elitak/factorio
factorio: download using token, not password
This commit is contained in:
commit
9fee74d616
@ -3,8 +3,8 @@
|
||||
, factorio-utils
|
||||
, releaseType
|
||||
, mods ? []
|
||||
, username ? "" , password ? ""
|
||||
, experimental ? false
|
||||
, username ? "", token ? "" # get/reset token at https://factorio.com/profile
|
||||
, experimental ? false # true means to always use the latest branch
|
||||
}:
|
||||
|
||||
assert releaseType == "alpha"
|
||||
@ -13,59 +13,103 @@ assert releaseType == "alpha"
|
||||
|
||||
let
|
||||
|
||||
# NB If you nix-prefetch-url any of these, be sure to add a --name arg,
|
||||
# where the ultimate "_" (before the version) is changed to a "-".
|
||||
helpMsg = ''
|
||||
|
||||
===FETCH FAILED===
|
||||
Please ensure you have set the username and token with config.nix, or
|
||||
/etc/nix/nixpkgs-config.nix if on NixOS.
|
||||
|
||||
Your token can be seen at https://factorio.com/profile (after logging in). It is
|
||||
not as sensitive as your password, but should still be safeguarded. There is a
|
||||
link on that page to revoke/invalidate the token, if you believe it has been
|
||||
leaked or wish to take precautions.
|
||||
|
||||
Example:
|
||||
{
|
||||
packageOverrides = pkgs: {
|
||||
factorio = pkgs.factorio.override {
|
||||
username = "FactorioPlayer1654";
|
||||
token = "d5ad5a8971267c895c0da598688761";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Alternatively, instead of providing the username+token, you may manually
|
||||
download the release through https://factorio.com/download , then add it to
|
||||
the store using e.g.:
|
||||
|
||||
releaseType=alpha
|
||||
version=0.16.51
|
||||
nix-prefetch-url file://$HOME/Downloads/factorio_\''${releaseType}_x64_\''${version}.tar.xz --name factorio_\''${releaseType}_x64-\''${version}.tar.xz
|
||||
|
||||
Note the ultimate "_" is replaced with "-" in the --name arg!
|
||||
'';
|
||||
|
||||
branch = if experimental then "experimental" else "stable";
|
||||
|
||||
# NB `experimental` directs us to take the latest build, regardless of its branch;
|
||||
# hence the (stable, experimental) pairs may sometimes refer to the same distributable.
|
||||
binDists = {
|
||||
x86_64-linux = let bdist = bdistForArch { inUrl = "linux64"; inTar = "x64"; }; in {
|
||||
alpha = {
|
||||
stable = bdist { sha256 = "0b4hbpdcrh5hgip9q5dkmw22p66lcdhnr0kmb0w5dw6yi7fnxxh0"; fetcher = authenticatedFetch; };
|
||||
experimental = bdist { sha256 = "1qwfivl5wf0ii8c4prdl4yili23qimsh2cj874r37q3ygpjk3bd3"; version = "0.16.50"; fetcher = authenticatedFetch; };
|
||||
stable = bdist { sha256 = "0b4hbpdcrh5hgip9q5dkmw22p66lcdhnr0kmb0w5dw6yi7fnxxh0"; version = "0.16.51"; withAuth = true; };
|
||||
experimental = bdist { sha256 = "0b4hbpdcrh5hgip9q5dkmw22p66lcdhnr0kmb0w5dw6yi7fnxxh0"; version = "0.16.51"; withAuth = true; };
|
||||
};
|
||||
headless = {
|
||||
stable = bdist { sha256 = "0zrnpg2js0ysvx9y50h3gajldk16mv02dvrwnkazh5kzr1d9zc3c"; };
|
||||
experimental = bdist { sha256 = "00691kr85p58qpxf3889p20nrgsvsyspx3c8yd11dkg46wly06z1"; version = "0.16.50"; };
|
||||
stable = bdist { sha256 = "0zrnpg2js0ysvx9y50h3gajldk16mv02dvrwnkazh5kzr1d9zc3c"; version = "0.16.51"; };
|
||||
experimental = bdist { sha256 = "0zrnpg2js0ysvx9y50h3gajldk16mv02dvrwnkazh5kzr1d9zc3c"; version = "0.16.51"; };
|
||||
};
|
||||
demo = {
|
||||
stable = bdist { sha256 = "0zf61z8937yd8pyrjrqdjgd0rjl7snwrm3xw86vv7s7p835san6a"; version = "0.16.51"; };
|
||||
experimental = bdist { };
|
||||
};
|
||||
};
|
||||
i686-linux = let bdist = bdistForArch { inUrl = "linux32"; inTar = "i386"; }; in {
|
||||
alpha = {
|
||||
stable = bdist { sha256 = "0nnfkxxqnywx1z05xnndgh71gp4izmwdk026nnjih74m2k5j086l"; version = "0.14.23"; nameMut = asGz; };
|
||||
experimental = bdist { };
|
||||
};
|
||||
headless = {
|
||||
stable = bdist { };
|
||||
experimental = bdist { };
|
||||
};
|
||||
demo = {
|
||||
stable = bdist { };
|
||||
experimental = bdist { };
|
||||
stable = bdist { sha256 = "0nnfkxxqnywx1z05xnndgh71gp4izmwdk026nnjih74m2k5j086l"; version = "0.14.23"; withAuth = true; nameMut = asGz; };
|
||||
};
|
||||
};
|
||||
};
|
||||
actual = binDists.${stdenv.hostPlatform.system}.${releaseType}.${branch} or (throw "Factorio: unsupported platform");
|
||||
|
||||
bdistForArch = arch: { sha256 ? null
|
||||
, version ? "0.16.51"
|
||||
, fetcher ? fetchurl
|
||||
actual = binDists.${stdenv.hostPlatform.system}.${releaseType}.${branch} or (throw "Factorio ${releaseType}-${branch} binaries for ${stdenv.hostPlatform.system} are not available for download.");
|
||||
|
||||
bdistForArch = arch: { version
|
||||
, sha256
|
||||
, withAuth ? false
|
||||
, nameMut ? x: x
|
||||
}:
|
||||
if sha256 == null then
|
||||
throw "Factorio ${releaseType}-${arch.inTar} binaries are not (and were never?) available to download"
|
||||
else {
|
||||
let
|
||||
url = "https://factorio.com/get-download/${version}/${releaseType}/${arch.inUrl}";
|
||||
name = nameMut "factorio_${releaseType}_${arch.inTar}-${version}.tar.xz";
|
||||
in {
|
||||
inherit version arch;
|
||||
src = fetcher {
|
||||
inherit sha256;
|
||||
url = "https://www.factorio.com/get-download/${version}/${releaseType}/${arch.inUrl}";
|
||||
name = nameMut "factorio_${releaseType}_${arch.inTar}-${version}.tar.xz";
|
||||
};
|
||||
src =
|
||||
if withAuth then
|
||||
(stdenv.lib.overrideDerivation
|
||||
(fetchurl {
|
||||
inherit name url sha256;
|
||||
curlOpts = [
|
||||
"--get"
|
||||
"--data-urlencode" "username@username"
|
||||
"--data-urlencode" "token@token"
|
||||
];
|
||||
})
|
||||
(_: { # This preHook hides the credentials from /proc
|
||||
preHook = ''
|
||||
echo -n "${username}" >username
|
||||
echo -n "${token}" >token
|
||||
'';
|
||||
failureHook = ''
|
||||
cat <<EOF
|
||||
${helpMsg}
|
||||
EOF
|
||||
'';
|
||||
})
|
||||
)
|
||||
else
|
||||
fetchurl { inherit name url sha256; };
|
||||
};
|
||||
authenticatedFetch = callPackage ./fetch.nix { inherit username password; };
|
||||
asGz = builtins.replaceStrings [".xz"] [".gz"];
|
||||
|
||||
asGz = builtins.replaceStrings [".xz"] [".gz"];
|
||||
|
||||
configBaseCfg = ''
|
||||
use-system-read-write-data-directories=false
|
||||
|
@ -1,33 +0,0 @@
|
||||
{ stdenv, curl, xidel, cacert
|
||||
# Begin download parameters
|
||||
, username ? ""
|
||||
, password ? ""
|
||||
}:
|
||||
|
||||
{
|
||||
# URL to fetch.
|
||||
url ? ""
|
||||
|
||||
, name ? "factorio.tar.gz"
|
||||
|
||||
# Login URL.
|
||||
, loginUrl ? "https://www.factorio.com/login"
|
||||
|
||||
# SHA256 of the fetched URL.
|
||||
, sha256 ? ""
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation {
|
||||
nativeBuildInputs = [ curl xidel ];
|
||||
|
||||
inherit name url loginUrl username password cacert;
|
||||
|
||||
builder = ./fetch.sh;
|
||||
|
||||
outputHashAlgo = "sha256";
|
||||
outputHash = sha256;
|
||||
outputHashMode = "flat";
|
||||
|
||||
# There's no point in downloading remotely, we'd just slow things down.
|
||||
preferLocalBuild = true;
|
||||
}
|
@ -1,55 +0,0 @@
|
||||
source $stdenv/setup
|
||||
|
||||
# Curl flags to increase reliability a bit.
|
||||
#
|
||||
# Can't use fetchurl, for several reasons. One is that we definitely
|
||||
# don't want --insecure for the login, though we need it for the
|
||||
# download as their download cert isn't in the standard linux bundle.
|
||||
curl="curl \
|
||||
--max-redirs 20 \
|
||||
--retry 3 \
|
||||
--cacert $cacert/etc/ssl/certs/ca-bundle.crt \
|
||||
-b cookies \
|
||||
-c cookies \
|
||||
$curlOpts \
|
||||
$NIX_CURL_FLAGS"
|
||||
|
||||
# We don't want the password to be on any program's argv, as it may be
|
||||
# visible in /proc. Writing it to file with echo should be safe, since
|
||||
# it's a shell builtin.
|
||||
echo -n "$password" > password
|
||||
# Might as well hide the username as well.
|
||||
echo -n "$username" > username
|
||||
|
||||
# Get a CSRF token.
|
||||
csrf=$($curl $loginUrl | xidel - -e '//input[@id="csrf_token"]/@value')
|
||||
|
||||
# Log in. We don't especially care about the result, but let's check if login failed.
|
||||
$curl --data-urlencode csrf_token="$csrf" \
|
||||
--data-urlencode username_or_email@username \
|
||||
--data-urlencode password@password \
|
||||
-d action=Login \
|
||||
$loginUrl -D headers > /dev/null
|
||||
|
||||
if grep -q 'Location: https://' headers; then
|
||||
# Now download. We need --insecure for this, but the sha256 should cover us.
|
||||
$curl --insecure --location --fail $url > $out || { echo "Login succeeded, but subsequent fetch failed."; exit 1; }
|
||||
set +x
|
||||
else
|
||||
set +x
|
||||
echo 'Login failed'
|
||||
echo 'Please set username and password with config.nix,'
|
||||
echo 'or /etc/nix/nixpkgs-config.nix if on NixOS.'
|
||||
echo
|
||||
echo 'Example:'
|
||||
echo '{'
|
||||
echo ' packageOverrides = pkgs: rec {'
|
||||
echo ' factorio = pkgs.factorio.override {'
|
||||
echo ' username = "<username or email address>";'
|
||||
echo ' password = "<password>";'
|
||||
echo ' };'
|
||||
echo ' };'
|
||||
echo '}'
|
||||
|
||||
exit 1
|
||||
fi
|
Loading…
Reference in New Issue
Block a user