The new launcher creates a random UUID which is stored as the clientToken in the launcher_profiles.json file. As far as I can tell there is no system in place to prevent two clients from generating the same UUID.
When two clients log in with the same UUID, the first client's session gets invalidated, preventing him from joining any servers. The error message displayed is:
Failed to login: Bad login
It should be possible to log in to multiple accounts with the same UUID or there needs to be a system to prevent collision. (There are some pieces of code in the launcher suggesting that such a system is in the works.)
Steps to reproduce:
Start client 1 on computer 1
Log in on client 1 using account 1 (don't use the auto-login feature)
Copy the generated
launcher_profiles.jsonfrom computer 1 to computer 2Start client 2 on computer 2
Log in on client 2 using account 2
Join a server with client 1
(This also works by just starting two client instances on the same computer, they will inevitably share a launcher_profiles.json file and therefore the UUID.)
Comments 2
As we discussed on IRC, the real issue here is that only access tokens of the same account should be invalidated when logging in with an identical client token. According to my testing this is however not the case.
Steps to reproduce
Login as sadimusi
curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"123","username":"[email protected]", "password": "*****"}' -H "Content-Type: application/json"{"accessToken":"5abf8027e9e549af9c1d551d21f9c559","clientToken":"123"}Login as D0L4
curl https://authserver.mojang.com/authenticate --data-binary '{"clientToken":"123","username":"D0L4", "password": "*****"}' -H "Content-Type: application/json"{"accessToken":"4b6205354c5a4903a6c16c5b38d5d79a","clientToken":"123"}Validate D0L4's access token
curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "4b6205354c5a4903a6c16c5b38d5d79a"}' -H "Content-Type: application/json"Validate sadimusi's access token
curl https://authserver.mojang.com/validate --data-binary '{"accessToken": "5abf8027e9e549af9c1d551d21f9c559"}' -H "Content-Type: application/json"{"errorMessage":"Invalid token","error":"ForbiddenOperationException"}
Few things here:
1. Client tokens are random UUIDs. There may be conflicts, sure, but it's incredibly unlikely & it won't matter unless two clients generate the same token and will end up logging in as the same account (virtually impossible under normal conditions).
2. The system is designed in a way where only one valid access token is valid per client token & account combination. If you log into the same account with the same client token, the second access token invalidates the first. This is intended.
3. You really shouldn't copy client tokens over for reasons described as above.
4. When you're starting the client on the second computer, you're invalidating the tokens that were stored on the first computer. So of course it's going to get logged out 🙂