FlexibleLogin [v0.17] for Sponge 7+ - Auth plugin - 2FA


Theoretically, the "only" thing to be done is to save the whole inventory per UUID, and remove any items of an unregistered/not logged in player in his inventory, when joining the server. On login then give him back those items.
Don't know how hard it would be to save and load the inventory. Giving and taking items however is possible with commands even for offline players, therefore it should work.
This method ensures, that no item dropping, item cloning, or just seeing the inventory of other players is ever possible. Would be nice.

Also it would tie together with the theoretically possible way of allowing not logged in players to do certain things. Explained below.

Hm. How do you implement, that they can't walk, interact or use certain commands, before logged in? For example before logged in I should of course have no Admin rights, but if I logged in with the right account then I should have them.
The same should apply to all other permissions someone has linked to any account.

Maybe there don't have to be explicit permissions, but the possibility to drop unregistered /not logged in players in certain permission groups and the possibility to then allow interaction with the world.
For example if I could set in the config, that not logged in people are in Group Unregistered, then I can set certain permissions for Unregistered, like the ability to /sendmodmessage message or to run around, but not doing anything else, like dropping items, picking up items, or interacting with anything.
If they login, they are automatically dropped in group Default or if they are already in another group like Mod, or Admin, they are of course dropped in those groups.

Overall the possibility to allow certaing things, even when not logged in. That way I as server owner, could for example say, that they may walk around to admire the cool world. And to send private messages to friends (if I had a friends plugin) or Mods. Maybe with modifyworld, they are even allowed to use certain blocks.

If I now also had the feature with the empty inventory that gets loaded with the items on logg in, then they could do things as unregistered player, but the logged in real player is ensured to have his inventory.

On login the position and inventory is reset to the situation, where last logging out. Only if the player ran around when not logged in and logged in in the same session, then the position can be set to the position when logging in.

That way a real player is not reset, when logging in, but is ensured to not end up in a lava pool if someone else moved there as unregistered player with the same UUID.

Hm, yea I thought there could be a command /sendmodmessage message, that allows unregistered/not logged in players to contact someone in case, they have a problem. For example they could see an error message or they forgot their password and their e-mail account is no longer active or other things, so they could talk to someone.
Overall however, they should not be seen by other players in the chat, as that could lead to unregistered player spam.
Maybe there doesn't ave to be a /sendmodmessage command, but the player is only seen by Mods chatting, when not logged in.

Yea, yea no problem. I like your plugin so far. :smile:


Update!a good plugin!


Thanks. Update is uploaded now.


Is this plugin outdated?


Google Authentication

I think, you shouldn't type your actual Google password into a minecraft server. One possibility would be to send the user a link (e.g. this4) to open it in a browser and send the response with a token instead of the password to the server. But then the user have to open the browser on every login process. Although you don't have to type in your account credentials every time if you are already logged in into Google (and have already registered), it's in my opinion a bad idea.

This is precisely what I want to do. My particular use case is a private server, for a classroom of kids. The desire is to use the google apps domain login to limit users to those that have an account on our google apps domain.

The other approach that came to mind is doing this outside of minecraft entirely, and having a web front end that allows the user to associate their minecraft.net account with their google apps account (after authenticating via google) and updates the whitelist.


There's no way to "associate" the minecraft account without you collecting your users' mojang email/password, and that's sketchy. I'm a fan of this concept, that isn't really implemented anywhere as far as I know:

  1. User logs in to website with Google account, provided with unique hostname (eg. verify-d7a88.myserver.com)
  2. User connects to above hostname, which is really just a fake minecraft server which links whatever account first connects with that hostname (clients send the hostname they connected to) to the Google account.
  3. User is now able to join the actual server (eg. myserver.com)


There's no way to "associate" the minecraft account without you collecting your users' mojang email/password, and that's sketchy. I'm a fan of this concept, that isn't really implemented anywhere as far as I know:

Why not?

  1. Log in using Google OpenID/SSO, google token returned
  2. Ask user for minecraft ID, redirect to minecraft.net SSO
  3. minecraft.net token returned
  4. Put an entry in the whitelist to allow minecraft ID


Unless I'm mistaken, reading your mojang SSO token (edit: if that was even possible) lets you do all sorts of stuff to the account, as if you were on mojang sites. I don't really want servers to buy yearly Realms subscriptions for me.

Would be nice if mojang offered a proper application authorization token system like google or github. I might actually poke the powers that be about it. DOA


it good.
i need hidden inventory and hashing user passwords by MD5 same Authme in new ver.


Why do you want MD5 passwords?


i need cover form olddb


I got some Error when I try to register by using TOTP.
The configure is default but change hashAlgo to totp.
And the version of FlexibleLogin is 0.2.6
the error log in the console is:

[19:23:19] [Server thread/ERROR] [Sponge]: Error occurred while executing command 'register' for source EntityPlayerMP['jiangming1399'/174, l='world', x=-20.00, y=76.00, z=-5.00]: org.spongepowered.api.service.scheduler.SchedulerService.createTaskBuilder()Lorg/spongepowered/api/service/scheduler/Task$Builder;
java.lang.NoSuchMethodError: org.spongepowered.api.service.scheduler.SchedulerService.createTaskBuilder()Lorg/spongepowered/api/service/scheduler/Task$Builder;
at com.github.games647.flexiblelogin.commands.RegisterCommand.startTask(RegisterCommand.java:60) ~[RegisterCommand.class:?]
at com.github.games647.flexiblelogin.commands.RegisterCommand.execute(RegisterCommand.java:37) ~[RegisterCommand.class:?]
at org.spongepowered.api.util.command.spec.CommandSpec.process(CommandSpec.java:334) ~[CommandSpec.class:1.8-1561-2.1-DEV-808]
at org.spongepowered.api.util.command.dispatcher.SimpleDispatcher.process(SimpleDispatcher.java:340) ~[SimpleDispatcher.class:1.8-1561-2.1-DEV-808]
at org.spongepowered.api.service.command.SimpleCommandService.process(SimpleCommandService.java:250) [SimpleCommandService.class:1.8-1561-2.1-DEV-808]
at net.minecraft.command.ServerCommandManager.func_71556_a(SourceFile:80) [cl.class:?]
at net.minecraft.network.NetHandlerPlayServer.func_147361_d(NetHandlerPlayServer.java:812) [rj.class:?]
at net.minecraft.network.NetHandlerPlayServer.func_147354_a(NetHandlerPlayServer.java:791) [rj.class:?]
at net.minecraft.network.play.client.C01PacketChatMessage.func_180757_a(SourceFile:37) [lu.class:?]
at net.minecraft.network.play.client.C01PacketChatMessage.func_148833_a(SourceFile:9) [lu.class:?]
at net.minecraft.network.PacketThreadUtil$1.onProcessPacket(SourceFile:59) [ih.class:?]
at net.minecraft.network.PacketThreadUtil$1.run(SourceFile:13) [ih.class:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_65]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_65]
at net.minecraftforge.fml.common.FMLCommonHandler.callFuture(FMLCommonHandler.java:714) [FMLCommonHandler.class:?]
at net.minecraft.server.MinecraftServer.func_71190_q(MinecraftServer.java:656) [MinecraftServer.class:?]
at net.minecraft.server.dedicated.DedicatedServer.func_71190_q(DedicatedServer.java:364) [po.class:?]
at net.minecraft.server.MinecraftServer.func_71217_p(MinecraftServer.java:598) [MinecraftServer.class:?]
at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:478) [MinecraftServer.class:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_65]

I need some help.


How is your olddb organized? I guess these passwords are salted too?

Which Sponge and Forge version do you have?


Fist I want to thank you for this plugin, it is a dream come true :smile:. However I have major problem;

I cannot seem login using TOTP, whenever I generate new secret and scan it into my phone, and then try to log in by using /login numberGeneratedByGoogleAuth , it says that i have entered wrong password, I got no errors on the client side and no errors concerning FlexibleLogin serve side.
Also when I use unregister command from server console it does not correctly delete account, because when I login after that, it doesn't allow me to register again...

I use forge and sponge build 833


Thank you for the report. I found out that there was a caching issue.

Is your server in a different timezone compared to your smartphone?


I should have thought of this, you are right my servers time was not synchronized for long so it was off quite a bit (more than 10 minutes) now it should work correctly (I'll test it once the server is empty).
Thanks again for a awesome plugin and fast response


Thanks for implementing this with bcrypt as your hashing algorithm :'D <3


With latest sponge got 2 errors in console (plugin looks like working fine but..):



You're right. Bug existed because of the newest SpongeAPI changes.

Update is uploaded.


Working as intended. Great job :wink: