Many server owners regularly have issues with bots joining servers, spamming chat, and leaving. This plugin (and service) uses Google’s reCaptcha to confirm players are actual players, not just bots. It utelizes a 12 step process to authorize players (which will be repeated weekly, if using the default servers). How it works:
+-------------------------------------+
| 12 |
+---------------v--+ 2 +--+----------+ 8 +---------------+
| +-------------------------------> +------------> |
| MINECRAFT SERVER | | BACKEND API | | reCAPTCHA API |
| <-------------------------------+ <------------+ |
+^-----^---+----+--+ 4 +--^---^--+---+ 9 +---------------+
| | | | | | |
| | | +-------------------------------------+ | |
| | | 11 7 | | 3
10| 1 | |5 | |
| | | | |
| | | | |
| +--+---v-+ +-+--v-----+
| | | | |
+--+ PLAYER +------------------------------------------> FRONTEND |
| | 6 | |
+--------+ +----------+
- Player attempts to join server.
- Server consults the backend, which replies with a short link (https://stopbots.xyz/ABCD1234) and a boolean of whether or not the player (based on UUIDv4) has been confirmed. If true, no further action needs to be taken, and the link will merely display a confirmation of authorization if visited.
- If the player has not yet been confirmed or the confirmation has expired, the backend will generate a “link” (https://stopbots.xyz/[id]) for the player (unique, one-time) that will expire after 5 minutes. The serer sends the link back via step 4 and the server should kick the player and display the link (step 5).
- The player should visit the link and complete a verification task (in this case, complete a reCaptcha). Steps 7 through 9 are confirming the captcha is solved.
In step 10, a player attempts to join again, having been shown a confirmation screen that they are authorized. The server repeats step 2 in steps 11 and 12, simply checking that the player is, in fact, confirmed.
This process, combined with an anti-chat spam (using a rolling rate limit or sliding window), gives server owners a degree of confidence that players joining are not bots. Servers will be able to run their own backend or utelize a shared backend (so that players do not have to confirm on multiple servers). The core backend will, however, be rate limited per IP to avoid abuse.
This plugin should be released by the end of August, but the service will be released first. A documented RESTful API will be available.
If you wish to assist me in development, please feel free to contact me. If you have suggestions or concerns, just ask!
If you are a frontend designer or have worked with NodeJS before, I’d love your help.
Progress Tracking:
[DONE]
- Core backend services, including link generation and basic frontend.
- API Docs
[TODO/IN PROGRESS] - Polished frontend and cleaned up backend (looking for help!).
- Consumer plugin.