Add support for mirrors

[raftario]

If an error occurs while retrieving the mod list from BeatMods, the installer will try every mirror until one works or none are left. Only then will it close itself, instead of on the first failed attempt.
The mods are downloaded from the same place as the mod list to ensure no conflicts occur.

I plan on creating a node module for easily creating mirrors and verifying their integrity, probably next week.

[megalon]

Only mods that have passed the approval process are listed as "approved" on BeatMods, and are then available in the installer.
The approval process involves decompiling any DLLs included in the release, verifying that all of the code is non-malicious, then testing that the plugin works properly.

If we can't verify that the exact same approved files are being downloaded from one of the mirrors, then it would undermine the whole approval process.

This PR will likely not get accepted.

[raftario]

What about GPG signing the approved mods and checking the signature with the installer ? That would increase the security even more and permit the use of mirrors.

[megalon]

That could work, but the developer of BeatMods is fairly busy, so unless someone else adds that functionality into BeatMods, this likely won't happen.

You are welcome to make an feature request on the BeatMods repo, or possibly try to implement the feature yourself if you are interested.
https://github.com/beat-saber-modding-group/BeatMods-Website/issues

[raftario]

Implementing it server side will be fairly easy using openpgp, I just need to find a way to verify signatures client side.
I'll look into that.

[raftario]

Server side implementation is almost done.

[raftario]

Server side done.
I've found a way to check signatures client side, working on that.