Just a quick question for all those developers out there. Since forge is actually being implemented inside of sponge, will the possibility of a Plugin disallowing users which certain mods be applicable? I personally don’t develop much and I am only now just getting into everything that is Sponge and haven’t had much time to actually look around, so I figured this would be my best bet on getting a quick and simple answer.
This idea has been debated a few times around the community already I think. And as far as I’m aware this isn’t possible.
This is because even if you did have the client send a list of mods to the server, this wouldn’t stop people from spoofing the mod list. So they could redact any disallowed mods like kill aura or aim bot.
public static Optional<Map<String, String>> getModList(Player p) {
try {
return Optional.of(NetworkDispatcher.get(((EntityPlayerMP) p).playerNetServerHandler.netManager).getModList());
// The player has forge installed on his client, We can return all mods (Name, Version)
} catch (Throwable t) {
return Optional.absent();
// The player don't have forge
}
}
Warning, this method is not part of SpongeAPI
For SpongeVanilla, its more complex, you should intercept some packet while the player try to join the server
Yes, my idea is to force the player to install a mod that send his minecraft.jar’s hash (or others informations) to the server.
If the hash is corrupted then we kick him =3
To avoid the possibility of a fake mod that send a fake hash, you can use a launcher that scan the mods dir and give a token to the mod if everything is ok.
Like @zml said, without a secure system like above, the client can still lie.
WorldDownloader, Schematica, etc etc. Though there is a single version of WorldDownloader that is completely clientside, it’s just not widely known about or advertised on their page. Of course the ones that are advertised use Plugin Channels to communicate with.
Even if it manages to raise the bar so the users need to know enough to install undetectable cheat mods, that would still be a step up from allowing all mods.
You can disallow forge mods quite easily. NetworkDispatcher#getModList returns you the map with ModIDs and versions. You can get it, check if clients have any disallowed mods and kick them. However, it only works with forge mods. You cannot get any information about liteloader mods, jar mods and others. You will have to use your own launcher or third party mod which clients HAVE to install to connect.
PS. Clients may fake packet with information about installed mods, i’m not sure if it’s protected or not.
PPS. NetworkDispatcher#getModList is not part of SpongeForge or SpongeAPI. It is part of MinecraftForge
Unless you go the lenghts e.g. Valve goes with VAC, whatever you do is going to be easy to avoid. In the end, they can simply RE your security measures, and spoof whatever your thing is doing.
That said, if you develop all that just for a single server, and no advanced cheat developer is targeting you, it will work out pretty well.