Hi, nice plugin. But does this plugin supports DoubleSaltedMD5:Salted2MD5 method to verify password? (like the one that authme does) Thank you!
FlexibleLogin currently only supports BCrypt and time based passwords (TOTP).
MD5 is pretty insecure nowadays.
i need status player online offline in db after /login or get out
and i need config use /register Because i need player register on webpage only
and delay time kick if player afk before /login
can you help me ?
Can’t you just check if the player is online?
Yes, I could implement that.
I know that it is mainly focussed for cracked servers. But I would like to give my admins a bit of extra protection on my premium server, that if in any case their account gets hacked the hacker can’t damage my server using that account. Could you add a permission and a configuration option that if it is true accepts the permissions and requires only the ones with the permission to register and requires them to login every time they join.
PS: and a function to have the players teleport on join to a certain location.
Added
It’s not mainly focussed for cracked servers. The thought was really to add an second-auth system like Github has.
So I added TOTP (Time-based One-time Password), which is my opinion not a good user experience for normal users, because you’ll need to open the APP on your phone every time. FlexibleLogin also has in the last version a command only protection for important commands like /op or /pex.
If I understand it correctly, you mean a protection for users who only have this permission. Is that correct?
I’ll implement that.
I think that TOTP in combination with email is a better way to use TOTP.
It is not as secure as using an app or SMS.
But players would not have to install an external app that could be malicious,
server owners don’t have to pay for an Apple developer account just to host one app and server owners don’t have to pay for SMS costs.
TOTP with email is easier to use.
Especially because every owner of an premium account and almost every user of the internet already has an email address. And for server owners it’s easier to maintain.
Yes, exactly that, that only the group/user with that permission is forced to register and to login every time they join since.
I didn’t knew that it was possible to protect commands :D.
That’s a really cool feature and is certainly useful.
I’m going to use it in combination with PEX and CommandKits.
It’s main function is to allow normal players
to see when a staff-member is able to use
their special permissions
(using a slightly different prefix and a broadcast.)
It is a great improvement in security and fairness.
Thanks 
Google Authenticator from the official Apple or Google app store?
You don’t need to create an APP yourself. There are already some APPs out there. I created a small list:
Google Authenticator
Duo Mobile
Authy
Microsoft Authenticator
That’s a good point. I might implement that as well.
Okay, it’s added.
Well I didn’t knew that these TOTP authenticators exists.
But thank you. I really appreciate that you iplemented it.
I’ve just a question about this plugin. If I want to allow unpaid Minecraft account to join my server, everybody will must login to join the server. But, permissions are made on uuid. So is this still possible to let them join the server, even with this security login plugin ? Because, when I add a player to a group, I add it with his name, not with his uuid. Even if permission-ex link the username with the uuid.
On offline mode servers the uuid is generated based on the player name. So you’ll have the same permissions if you don’t change your name (including same case). I don’t know how PEX works exactly, but I’m assuming that it will access the uuid cache from the server. This means that the player have to be online at least once.
Could you add the ability to set your username as you log on?
It would be rather helpful… Setting a nickname doesn’t allow the use of commands through the displayname, so it would make things a lot easier.
Also; when using this plugin, I occasionally have people getting an error “Login Timeout” when connecting to the server, which then boots them.
Wut do?
Found the problem.
The default unit of time is milliseconds, thus I believe it was allowing users 0.06 seconds to authenticate. Disable or raise the time before disconnection in the config file, if you’re having this issue.
I mean as a feature of this plugin.
I don’t actually know the capabilities or limitations of Sponge, so I’m not sure if it’s possible… But it would be a nice feature.
If you don’t understand what I mean, then maybe I can sort of describe it…
Say I log onto an offline server and my username is Bob.
I would prefer my username to be Ted. I would then either use some command like “/username Ted” or “/login Ted ” in order to accomplish my goal.
I seem to remember that this was available with some Bukkit plugin, but I’m unsure if the same thing could be accomplished with Sponge.
Anyway, thanks for discussing it with me. ‘u’
To clarify, I would hope that this username change could allow, say, two people to log into the same server with the same username, I.E. both people are logged into a Minecraft account with the username Bob, and then one player could change their username to Ted, and the other to Josh, then the two would be accessing separate player data files.
0.51 Tested on SpongeForge V.?
As far as I know this is only possible with NMS changes.
I don’t think so, because you can already switch between accounts from the minecraft launcher (“Switch user” button). Moreover it would break a lot of things like UUID or inventories.
3.1
After updating the plugin, it seems to be broken. Players cannot connect; they get “Login timeout” and the server gets errors. Problems went away after removing the plugin.
Edit: Nevermind, found new version (0.5.1) that fixed it.