FlexibleLogin [v0.17] for Sponge 7+ - Auth plugin - 2FA

games647 · 2015-08-05 13:08:20 UTC

FlexibleLogin

Security Notice: If you use a version 0.16.X version, update immediately to 0.16.5+ or disable the change password command. 0.16.X fixed this security bug. Older versions of 0.16.X are not affected.

Description

A Sponge minecraft server plugin for second authentication. It has a built-in
TOTP support.

Do you want to let your players protect their account (from hackers/login stealers) and keep playing while the session server is down. You can use this little plugin. You can protect your account with a password you choose or with a time based password created from a secret key, generated just for you.

Commands

https://github.com/games647/FlexibleLogin#commands

Permissions

https://github.com/games647/FlexibleLogin#permissions

Config

https://github.com/games647/FlexibleLogin#config

Links

Github - Source Code
Download
Please leave star on Github. Feel free to clone, fork or contribute to this repository.
This is a complete new project, so many features can be added.

Screenshots:

TOTP Key generation (/register)

Android App Google Authenticator (IOS App exists too)

You can see there a time generated code which can be used for the login process. (/login

)

Additionally it display your user account name and the server ip.

Changelog

github.com

games647/FlexibleLogin/blob/master/CHANGELOG.md

# Changelog

###### 0.18

* Build TOTP URLs with GoogleAuthenticator to expose server authenticator configuration
* Relocate mail packages, because they are ignored by LaunchWrapper (Related #125)
* Fix force register has nullable IP addresses (Fixes #124)
* Remove GriefPrevention version (Fixes #123)
* Add clear table command (Fixes #114)
* Always ignore empty database passwords (Fixes #122)
* Add AuthMe database schema support (Fixes #49)
* Add /flexiblelogin forcelogin subcommand.
* Add /l to /login command alias. (can be disabled with supportSomeChatPlugins=true)
* Add /fl to /flexiblelogin command alias.
* Add /cp to /changepassword command alias.
* Add /flexiblelogin accounts subcommand.

###### 0.17

* Add experimental permission protection to fix compatibility with NEB (Fixes #111)

This file has been truncated. show original

hmksq · 2015-08-05 21:26:41 UTC

Is this for cracked servers? ughhh

Tzk · 2015-08-05 21:44:29 UTC

as stated in his post: this is to be able to play while mojang Servers are down.

Anyways: i like the idea of a somewhat double authenticate. Even if you share an minecraft account your achievements cant get bricked.

Bod8 · 2015-08-06 06:33:04 UTC

This is a really nice plugin. Gj
But some type of password recovery is needed. Like:
- /unregister - deletes the given players account/password if it exists(only admin command)
- /forgotpassword - sends an email to the player containing his password. This sollution needs an other command setting players email

games647 · 2015-08-06 18:52:52 UTC

Both commands are implemented now.

Changelog:

github.com

games647/FlexibleLogin/blob/master/Changelog.md

#Changelog

####0.1

+ First release

#####0.1.1

* Fix thread-safety
* Fix logout on player quit (Security)

####0.2

+ Implement Password recovery
+ Added /forgotPassword command
+ Added /setEmail command
+ Added email column to the database
+ Added /unregister command for admins to delete user accounts
+ Added player messages if a command fails to execute

Frost_Fox_ · 2015-08-08 21:33:40 UTC

It would be great if instead of using a mysql DB, there was an option for using an identify service, like OpenID connect. Then users could login with their google account (or whatever openid they have)

mbaxter · 2015-08-09 18:45:29 UTC

You want to type your google account password into a minecraft server? ._.

Frost_Fox_ · 2015-08-09 19:08:19 UTC

Yes. Just like I type it into my phone, and countless other apps that use google authentication. Users will be encouraged to set up an app password for this server. I imagine that there are other use cases, but mine would be for a private Minecraft EDU server using Google Classroom. The desire is to use the same authentication system for the server that we use for the google apps stuff, and other online tools/systems that also use OpenID Connect.

I'm sure there are other ways to accomplish the same end (SSO for web, email, minecraft, forums, MOOC, etc).

NeumimTo · 2015-08-09 20:12:50 UTC

This sounds so great. I'm looking forward to give my credentials to every server owner using your plugin.

Frost_Fox_ · 2015-08-09 20:27:46 UTC

Very helpful response. Thanks so much for taking the time.

My thought is that 2-step auth with Google allows you to create a password per application (so one per server). The intent here is not to allow users to use their google login to authenticate, but to allow the server admin to verify their identify.

I get what you're snarkily alluding to, and recognize that it is less than ideal. Maybe you can offer a better idea or approach?

Moderator: As my initial question is being trolled, should I open a new topic elsewhere? I don't want to distract from the release of this nice plugin, or muddy this thread any further.

Tzk · 2015-08-09 20:45:05 UTC

If this is a concern for you: Just create another google account which you use to auth yourself.

mbaxter · 2015-08-09 20:50:43 UTC

Your phone is controlled by you, and the password doesn't get past the Google-controlled authentication mechanisms. This idea results in passing your password to a third party.

I don't see any trolling. No need for a new topic, either.

NeumimTo · 2015-08-09 21:53:04 UTC

If any server forces me to create another google account just to pass their authsystem i will simply go away. Its like an article i read awhile ago. If you have a webshop, which requires user registration to buy your stock around 40% of all users will search for aleternatives..

Tzk · 2015-08-09 21:59:00 UTC

That's not what i said. That was just a suggestion for you to bypass the problem of having to use your main google account for auth on a MC server.

i'd never use a google-only auth either.
But the option to do so is nice (i'd recommend having classic name+pw auth too).

FerusGrim · 2015-08-12 00:31:59 UTC

The problem isn't the idea with Google Authentication - it's pretty cool sounding on the surface, actually. The problem is that this isn't a website, or an easy-to-manipulate application.

When you use Google Authentication on websites, you're actually taken to the Google site to approve the applications access to your account. In Minecraft, however, you'd need to type your password in chat. That requires a lot of trust in the plugin and the plugin developer to not accidentally or maliciously release your password.

Not to mention the server owner, who could easily copy the source from such a plugin and simply have the password sent to their email, or saved in the logs, with the user none the wiser.

thomas15v · 2015-08-12 17:58:12 UTC

I suppose that the server has to be in offline mode for this to work? Idk if sponge supports changing authentication status.

games647 · 2015-08-13 12:40:20 UTC

The UUID will be different if you change the online mode. In offline mode the server will create a fake UUID (UUID.nameUUIDFromBytes(("OfflinePlayer:" + playerName).getBytes(Charsets.UTF_8))). So for example you will loose your inventory or permission group.

(Planning)
This plugin holds then the original (premium) UUID if the user registered before. On every premium/online mode login the plugin updates the username, so if the server goes into offline mode we can look up the account by the username instead of the UUID. Through the authentication process of this plugin, another plugin can be sure it's actual the same user and do the same.

Google Authentication

I think, you shouldn't type your actual Google password into a minecraft server. One possibility would be to send the user a link (e.g. this) to open it in a browser and send the response with a token instead of the password to the server. But then the user have to open the browser on every login process. Although you don't have to type in your account credentials every time if you are already logged in into Google (and have already registered), it's in my opinion a bad idea.

thomas15v · 2015-08-13 13:07:28 UTC

Yeah I know that, but I don't understand how you can prevent the server from kicking the player if the authentication fails. Unless sponge provides some kinda "PlayerAuthenticationEvent".

simon816 · 2015-08-13 13:12:16 UTC

There is a GameClientAuthEvent, however that is fired after authentication has been successful.
Note that it is also fired when the server is offline and authentication therefore automatically 'succeeds'.

Alfista · 2015-08-13 13:18:18 UTC

Hi,

can it be setup and used without use of any DB servers? I'm now testing it on my local compare and I doesn't have any DB system.
How can I set it to use it without the DB system?
Have you somewhere any Wiki or help for configuring the system?

Thanks.