Skip to content

feat: Add Import/export login token patch#836

Draft
kitadai31 wants to merge 8 commits intocrimera:devfrom
kitadai31:loginwithtoken
Draft

feat: Add Import/export login token patch#836
kitadai31 wants to merge 8 commits intocrimera:devfrom
kitadai31:loginwithtoken

Conversation

@kitadai31
Copy link
Contributor

@kitadai31 kitadai31 commented Mar 11, 2026
edited
Loading

Important: This patch does NOT fix the login attestation problem.

This will allow you to log in with a token exported from a device you're already logged in to.

This is useful in the following cases:

  • If you already have a device logged in and want to log in on another device
    • Especially, if one device is Android 14+ (Proton Pass method is available), but another device is Android 13 or below.
  • If you want to reinstall piko
  • If you want to log into a cloned APK
  • If you have a rooted device and want to log into another non-root device

Exported tokens can be imported from the login screen.

Also, I added the "Force remove account" setting.
It removes an account from the app without uninstalling the app, or logging out the session token.
It's necessary to remove account without revoking a token that has been imported to other devices.

How it works

X for Android stores the tokens and information of the currently logged-in account in the Android system's AccountManager.
This information continues to work even if you clear the app data.
(This is also why X still be logged in even after clearing the app data.)
Therefore, you can restore this information and log in on other devices.

Videos

export.mp4
import.mp4

An example of exported json

{
  "username": "kitadai31",
  "token": "1190244536422785024-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  "userdata": {
    "account_user_id": "1190244536422785024",
    "account_state": "ACTIVE",
    "account_field_version": "4",
    "account_user_type": "SWoGTk9STUFMWA==",
    "account_settings": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX...",
    "account_user_info": (A long JSON text of user info),
    "account_can_access_x_payments": "MA==",
    "com.twitter.android.oauth.token.teamsContributeeUserId": "XXXXXXXXXXXXXXXX"
  }
}

TODOs before it's ready

  1. "Force remove account" sometimes doesn't works properly.
    The token is invalidated and the server is no longer accessible, but the automatic logout is not triggered. I'll address this in a later commit.
  2. Currently, a long document is embedded within the app's strings. It might be better to host them outside the app.
    Because piko strings are not translated in all languages. And app's text are hard to translate by users themselves. OTOH, if it's in Web, users can translate with their browsers.
    Which is better? And when it comes to host outside, where should I place it? It can be repository's /docs dir or GitHub Wiki.
  3. Add a confirm dialog before remove account
  4. Improve restart experience

@swakwork
Copy link
Collaborator

swakwork commented Mar 11, 2026
edited
Loading

At the login page, I feel text could be something like Login through token json or Login through token file instead Import piko account.

Also are there any expiration dates for the extracted token. If there is, please mention that as well.

@kitadai31
Copy link
Contributor Author

kitadai31 commented Mar 13, 2026

At the login page, I feel text could be something like Login through token json or Login through token file instead Import piko account.

Changed to Login through token json. Thank you.

Also are there any expiration dates for the extracted token. If there is, please mention that as well.

It appears there is no expiration date.
However, I haven't tested it over a long period of time.

@kitadai31
Copy link
Contributor Author

kitadai31 commented Mar 21, 2026
edited
Loading

Today I noticed that by putting my phone in airplane mode and then logging out, I could remove my account from the app without sending an logout request to the server. How stupid I was!

I think I'll leave the "Force remove" function as is for now.
It would be a shame to remove it since I've already implemented it, and having this settings page might prevent users from logging out without switching to airplane mode.
However, if you would like to keep the codebase or setting items clean, tell me and I'll remove.

@swakwork
Copy link
Collaborator

swakwork commented Mar 21, 2026

Today I noticed that by putting my phone in airplane mode and then logging out, I could remove my account from the app without sending an logout request to the server. How stupid I was!

Does the app work that way or the one you designed work like that ? If it's yours, why can't we check network status and then log out (

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kitadai31 @swakwork