Authentic - Bring authentication to your server

This is a discussion topic for the Ore project, Authentic. View the full project on Ore for downloads and more information.


Authentic

Authentic is an authentication plugin designed to allow players to register and login with a password. (such an originality!)

Getting started

After putting the .jar in the mods/ or plugins/ folder, start the server, it will certainly not work on the first launch as it is configured to use MySQL by default to avoid copying the default db if not needed. You can close the server after it is done starting.
After the first launch, the configuration file will be present at config/authentic/authentic.conf, you can edit it to select your MySQL database or to switch to H2 db.
You don’t have to do the first launch if you have already created a valid configuration file, it just needs the DB settings as specified in the Database part, the rest will be merged from the default configuration file.

Commands

It adds three commands:

  • /register, which allows the player to register to the server.
  • /login, which allows the player to login after being registered.
  • /logged, which allows the player to know if he is logged in or if another is logged in (in case he has doubts).

Database

Authentic can use either H2 or MySQL as database.
If H2 is used, the db will be saved at config/authentic/db.mv.db.
If MySQL is used, the admin will have to provide the credential in the configuration file (see Configuration).
It contains the hash field, which itself contains the player’s password hash (made using SHA-512).
This hash field accepts a base64 string.
It also contains the last timestamp the user was logged in and the last IP he was logged with.

The database stores a unique table which can be created using the following SQL script.

CREATE TABLE IF NOT EXISTS `authentic` (
	ID INTEGER AUTO_INCREMENT NOT NULL,
	USERNAME VARCHAR(16) NOT NULL, -- max length for mc username
	HASH VARCHAR(88) DEFAULT '' NOT NULL, -- max length for base64 SHA512 hashed string
	LASTIP VARCHAR(45) DEFAULT '' NOT NULL, --max length for a textual IPv6 address
	LASTLOG BIGINT DEFAULT 0 NOT NULL,
	PRIMARY KEY (ID),
	UNIQUE (USERNAME)
);

Migrations

1.4.2: IPv6 support

You will need to update the lastIP field in your database.
If you use H2 as your database engine, you might need an H2 db manager.

  • upward migration (MySQL):
ALTER TABLE `authentic` MODIFY `lastIP` VARCHAR(45) DEFAULT '' NOT NULL;
  • downward migration (MySQL):
ALTER TABLE `authentic` MODIFY `lastIP` VARCHAR(15) DEFAULT '' NOT NULL;

Configuration

The plugin can be configured through his configuration file.
The config file is located in config/authentic/ and is named authentic.conf.
It stores rules and L10n strings.

1. Rules

  • immobilizePlayers

    This rule allows to disable/enable the immobilization of the players at their arrival in the server.
    It accepts a boolean, and its default value is true.

  • allowRegister

    This rule indicates to set the command /register.
    If its value is set to false, no players will be allowed to register.
    It accepts a boolean, and its default value is true.

  • timeOutDelay

    This rule indicates how long to wait for the player to login,
    before getting kicked out.
    It accepts an integer, and its default value is 30.

  • minimumPwdSize:

    This rule indicates the minimum amount of ASCII character needed for passwords.
    It accepts an integer, and its default value is 6.

  • doKickOnWrongPwd:

    It indicates wether to kick the player or not when he provided a wrong password to /login.
    It accepts a boolen, and its default value is false.

  • logCacheDelay:

    It indicates the amount of time in seconds a player can wait before reconnecting with the same ip without /login.
    It accepts a long, and its default value is 30.

  • invulnerablePlayers:

    It indicates if non-logged players can take damages.
    It accpets a boolean, and its default value is true.

  • allowCommands:

    It indicates whether non-logged players can send commands.
    It accepts a boolean, and its default value is false.

  • allowDropItems:

    It indicates whether non-logged players can drop items.
    It accepts a boolean, and its default value is false.

2. Database

The database’s settings and credentials are in the “DB” node.
It contains 7 rules that allows the admin to select the desired database.

  • type: describes the database to use (H2 or MySQL).
    Its value can be either “H2” or “MYSQL”, all in uppercase.
    If H2 is selected, all the following fields are not required, and the db will be located in config/authentic/db.mv.db.

  • host: the server that hosts the database.
    It can be an IP address or a domain name.

  • port: the port used by the mysql service.
    By default it will be 3306.
    Except if you have to go through port-forwarding,
    this value shouldn’t be changed.

  • user: the username to authenticate with to the database.
    The user must be allowed to SELECT and INSERT.

  • pwd: the password that goes with the username.
    It can be "" if you don’t care about security.

  • database: the database to authenticate to in the server.

  • table: the table’s name that contains the structure described in Database.

3. Localization (L10n)

Allows to set the strings of the plugin, to change the language for instance.
All of the localization strings are put into the L10n node.

a. descriptions

It contains the strings for the three commands /login, /register and /logged.
When displayed, the command’s arguments are added before the description:

/login <password> - Here is the description...

The descriptions strings are under the descriptions node:

  • commandLoggedDesc: contains the description for the /logged command.
    its default value is "Get the player's logged status".
  • commandLoginDesc: contains the description for the /login command.
    its default value is "Allows to authenticate to the server".
  • commandRegisterDesc: contains the description for the /register command.
    its default value is "Allows to register or to change the password".

b. errors

Contains the strings displayed when an error happened.
The strings are stored under the errors node.

  • errorNotLogged: warns the player when he did /register without being logged.
    its default value is "You are not connected!\nYou need to be connected to change your password!".
  • errorUnableToLog: when someone (or something) tried to login but was unable to. its default value is: “You don’t seem to be able to login”`.
  • errorPwdTooShort: warns the player when he tried to set a password that was shorter thant the minimumPwdSize rule.
    its default value is: "You entered a password that was too short!\nThe minimum length is %s".
    the value of the minimumPwdSize rule is given through %s.
  • errorDB: warns the player when authentic tried to ran a request on the database, but went into an issue.
    its default value is: "An issue happened with the database, the command couldn't succeed.".
  • errorDBFile: shows up when the server has been unable to copy H2 db file on startup.
    its default value is: "Authentic couldn't create the database file".

c. server

Those strings are logs displayed in the server’s console.
They are under the server node.

  • init: message to display when the GameInitializationEvent have been emitted.
  • preInit: message for the GamePreInitializationEvent.
  • registeringCommand: the message to display when a command have been registered (the name of the command is passed through %s.
  • skipRegistration: the message to display when the /register command is skipped (following the allowRegisterrule).
  • dbPointsTo: shown at the end of preInit the jdbc uri.

d. user

Strings displayed because of a user action.
Stored under the user node.

logs node

The followings strings get the usernames through %s.

  • playerJoin: when a player joins.
  • playerQuit: when a player quits the game.
  • playerJustLogged: when a player logged in using /login.
  • playerJustRegistered: when a player registered using /register.
  • playerJustChangedPwd: when a player changed password using /register.
  • dbQuery: when the player’s data is fetched from the db.
  • dbSync: when the player’s data is sent to the db.
messages node
  • logStatusFalse: displayed when the player used /logged and wasn’t logged in.
  • logStatusTrue: displayed when the player used /logged or when he logged in using either /login or /register.
  • playerLogStatusFalse: displayed when a player asked the login status of another player who wasn’t logged in (username passed through %s).
  • playerLogStatusTrue: displayed when a player asked the login status of another player who was logged in (username passed through %s).
  • passwordSet: when the player changed his password.
  • timeOut: the kick message displayed to a player who didn’t logged in time.
  • warnNotLogged: when the player moved or attempted to interact without being able to (immobilizePlayer set to true).
  • welcomeLog: displayed to a player who just joined and has already registered.
  • welcomeReg: displayed to a player who just joined but hasn’t registered already.
  • welcomeAlreadyLog: displayed to a player who reconnected with the logged cache (see logCacheDelay rule)
  • wrongPassword: when a player attempted to login but gave the wrong password.

e. warnings

Messages displayed to warn the user.
Stored under warnings.

  • warnNotRegistered: when the player attempted to change his password without being logged in.
  • warnPwdDiff: when the player used /register but gave two different password.
2 Likes

A new version has been released for Authentic, it is available for download here.


Version 1.2.1

Changelog (Since v0.0.1)

  • added /login, /register and /logged commands
  • immobilization of the non-logged player
  • added config file
  • added config rule for:
    • enabling/disabling /register
    • setting the amount of time to wait before kicking out non-logged players
    • enabling/disabling non-logged players’s immobilization
  • player’s password are hashed and stored in the config file
  • added L10n support from the config file

Hello, I had test your plugin and it’s works!!! thank you :slight_smile:

Nice plugin, i use it on my server. Thank You

Can this version prevent one player from impersonating another through bold characters? For example, a player previously registered with the name Unknown. So, can other players register for a similar account called unknOwn? And how to prevent it.

I found a bug, i can type all command i want whent i am not logged, this is dangerous, please patch it.

great plugin!
but 1 thing missed i think… player still can be killed even if not authorized

Good plugin but a mistake is that changing the password with / register doesn’t work
In other words, the user is unable to log in because neither of his 2 passwords is useful.

Good plugin but a mistake is that changing the password with / register doesn’t work
In other words, the user is unable to log in because neither of his 2 passwords is useful.

May I ask which characters are allowed with the l10n part? I used some é,ñ and Spanish ones and it exploded, causing my whole server to crash :scream_cat:

Nice plugin nonetheless, with the move-while-not-logged option it fixed my players getting stuck in the nether portal :grin:

I found another problem
The problem would be that people can put commands and throw things from inventory
This is dangerous for servers that do not have a lobby.

I second Viper_XZ on that last reply, may the plugin block item usage/drop and chat input (commands and such) if they are not part of the plugin?

Thank you

Wow :open_mouth:!

Sorry for being so quiet, I didn’t notice you guys! :laughing:

Even if some time passed, i will answer to your comments, once again: sorry for the delay. :grin:

Nam_Vo: this should be possible, but i don’t know if it would be really useful (it will still be possible to impersonate using other characters), but it can still be a good idea, i keep it in mind for future updates.

Farmeur: indeed the player can use commands, i will add it in the next releases!

ArcherDante: i didn’t realize that! i will add it too.

Viper_XZ: Yes, the /register commands had a major bug in a release :sweat:, normally it should be fixed now. I think you already notice, but just in case…
Regarding the commands and the items, i keep it in mind for future releases, i don’t know when i will add this, but as soon as possible as i just finished mysql support.

Echoes: only ascii characters are allowed, apparently java’s strings supports utf16 (i didn’t know that, i’m to influenced by C :grin:). I understand it can be annoying for some players, so I will try to add unicode in the future.

Thank you all for your comments! That helped me a lot! :blush:

1 Like

My server crashes when I try to use it.

Hi @Matemarthur ! can you tell me what version you are using and give the server’s log (it should be logs/latest.log if the server crashed the last time you launched it)?

A new version has been released for Authentic, it is available for download here.


Version 1.4.1

Changelog

  • Non-logged players cannot send commands if allowCommands is set to false.
  • Non-logged players cannot drop items if allowDropItems is set to false.
  • Non-logged players cannot be killed if invulnerablePlayers is set to true.

A new version has been released for Authentic, it is available for download here.


Version 1.4.2

Changelog

  • Players are kicked when database is unavailable on login.
  • Player’s data is loaded from database on login.
  • Player’s data is synced on exit if database available (will be lost if not synced on server’s shutdown).

Bug fix

  • [Issue #2] Inventory interactions are now unallowed and prevent item deletion when closing inventory with item in hand.

Hello, I am currently using sponge 1.8.9 and I installed your plugin but now I can no longer run my server with it.
Can you help me please ?

I think this plugin is made for SpongeAPI 7 and the sponge you are using won’t be compatible with that

:confused: unfortunately, you can’t use authentic on 1.8.9 as it doesn’t support spongeAPI 7.1.0.