[WIP] StopBots

AniSkywalker · June 27, 2016, 4:04pm

Many server owners regularly have issues with bots joining servers, spamming chat, and leaving. This plugin (and service) uses Google’s reCaptcha to confirm players are actual players, not just bots. It utelizes a 12 step process to authorize players (which will be repeated weekly, if using the default servers). How it works:

                 +-------------------------------------+
                 |                  12                 |
 +---------------v--+               2               +--+----------+     8      +---------------+
 |                  +------------------------------->             +------------>               |
 | MINECRAFT SERVER |                               | BACKEND API |            | reCAPTCHA API |
 |                  <-------------------------------+             <------------+               |
 +^-----^---+----+--+               4               +--^---^--+---+     9      +---------------+
  |     |   |    |                                     |   |  |
  |     |   |    +-------------------------------------+   |  |
  |     |   |                       11                   7 |  | 3
10|   1 |   |5                                             |  |
  |     |   |                                              |  |
  |     |   |                                              |  |
  |  +--+---v-+                                          +-+--v-----+
  |  |        |                                          |          |
  +--+ PLAYER +------------------------------------------> FRONTEND |
     |        |                     6                    |          |
     +--------+                                          +----------+

Player attempts to join server.
Server consults the backend, which replies with a short link (https://stopbots.xyz/ABCD1234) and a boolean of whether or not the player (based on UUIDv4) has been confirmed. If true, no further action needs to be taken, and the link will merely display a confirmation of authorization if visited.
If the player has not yet been confirmed or the confirmation has expired, the backend will generate a “link” (https://stopbots.xyz/[id]) for the player (unique, one-time) that will expire after 5 minutes. The serer sends the link back via step 4 and the server should kick the player and display the link (step 5).
The player should visit the link and complete a verification task (in this case, complete a reCaptcha). Steps 7 through 9 are confirming the captcha is solved.
In step 10, a player attempts to join again, having been shown a confirmation screen that they are authorized. The server repeats step 2 in steps 11 and 12, simply checking that the player is, in fact, confirmed.

This process, combined with an anti-chat spam (using a rolling rate limit or sliding window), gives server owners a degree of confidence that players joining are not bots. Servers will be able to run their own backend or utelize a shared backend (so that players do not have to confirm on multiple servers). The core backend will, however, be rate limited per IP to avoid abuse.

This plugin should be released by the end of August, but the service will be released first. A documented RESTful API will be available.

If you wish to assist me in development, please feel free to contact me. If you have suggestions or concerns, just ask!

If you are a frontend designer or have worked with NodeJS before, I’d love your help.

Progress Tracking:
[DONE]

Core backend services, including link generation and basic frontend.
API Docs
[TODO/IN PROGRESS]
Polished frontend and cleaned up backend (looking for help!).
Consumer plugin.

AniSkywalker · June 27, 2016, 4:31pm

Here’s what I’m using for database schematics (Mongo, simply because it’s easier to deal with in JavaScript):

Collection: links
Links are removed from the database after 5 minutes using Mongo’s expires after method. Links are not removed after use because we don’t want players to be able to (even accidentally) confirm other players.

{
  "_id": String, // https://github.com/dylang/shortid
  "playerUUID": String,
  "expiresAt": Date
}

Collection: players
Stores a list of players who are authorized and when. Entries expire using Mongo’s expire after method, and an absence means a player is unauthorized.

{
  "_id": String, // Player UUIDv4 (not Mojang form)
  "authorizedAt": Date
}

pie_flavor · June 27, 2016, 7:23pm

This is really cool!

AniSkywalker · June 27, 2016, 8:21pm

Thanks! I look forward to any feedback.

HunterzCZ · July 1, 2016, 9:51am

Please develop promised skyblock plugin instead this one.

AniSkywalker · July 1, 2016, 2:42pm

@HunterzCZ I work on multiple projects at any given time, as well as private ones. I have no real due dates on public projects and I’m still waiting on a fleshed out Schematic API.