Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Good guess there, that does seem to be the problem. I'll try to find a solution for the next update.

i think i am running on bukkit 544 i think tell me how to check and how i get the inv lost:1.register and log in normally
2.play for a while
3.disconnect and turn off server
4.log in and ta-da items lost

Fixed in the next update. Actually, I could only replicate this the very first time I tried. Every time after that my inventory was restored successfully. Not sure exactly what's going on but I'll look into it.

Hey
I would like to help you fixing bugs. Could you put your plugin under GPL/put the source on GitHub?

According to a moderator on my server, you can use some WorldEdit commands without logging in, such as //removenear, //replacenear etc etc.

Yep, that's a known bug and will be fixed when I have a chance to investigate it.

Damn you're quick. Was just gonna edit that. Thanks.

The source is now available. It has a a lot of test code in it along with a partially working customizable message system I've been working on.

The issue with custom commands of other plugins is not limited to WorldEdit.
McMMO commands also work before logging in.

I'd like to request the ability to configure what people are not allowed to do before they login/register. I want people to at least be able to chat and move. Could you add that?

Also, how does the IP verification work? The IPs are not in the auth.txt file. Does the session manager just store them temporarily?

Working on this now. The problem is that some plugins don't check if the event has been cancelled before processing the command. Trying to implement some kind of fix for the next update. Seems that the fix is working, for WorldEdit and McMMO atleast.

I actually had some basic framework in the code up until a few days ago that allowed for configurable limits on what players can do before the log in. Since it's been requested I'll see what I can do about adding it back.

Yeah, IP addresses are stored in a players session. When a player joins the server xAuth checks if they have an active session and if the IP address stored in the session matches the one of the player joining.

Actually no, disregard that (well it's still a good suggestion lol). But I would most appreciate the ability to make it so only certain Permissions groups have to log in. I really only need my admins and moderators protected, as they are the only people that could potentially harm the server.

I have a request. Something that all other registration plugins lack. Can you make some... Ban character filter for it?

Some people are trying to be smart and changing nicks like that:
http://i.imgur.com/6qThQ.png

Can you do this?

Updated to version 1.1.4:

• Version 1.1.4
  • Customizable messages
  • Inventory loss when used with MultiInv should be fixed
  • Ability to use commands from (some) other plugins should be fixed
  • Implemented a strike system
  • Fixed a bug that prevented the accounts file from updated
  • Lag/delay when joining a server with a large amount registered accounts reduced

All customizable messages can be found in strings.yml that will be automatically generated on first run of this update. For info about replacement variables, go here.

Previously, a player could try as many passwords as they'd like to try and gain access to an account. This has been thwarted with the new addition of a strike system that will ban the IP address of a player who fails at entering the correct password a configurable amount of times.

Compatibility with the plugin MultiInv and the ability to use commands from other plugins before logging in should be fixed.

So basically, a property in the configuration file where you can specify illegal characters that a players name will be checked for upon joining the server?

Not all other plugins lack this

Can I get a link to 1.1.3? I think the latest version is blocking my MCDocs and mcMMO commands

http://www.mediafire.com/?bamqrjsiavo1l

Can I ask what for?

Yeah, 1.1.4 broke my mcdocs and mcmmo commands

Updated to version 1.1.4.1

• Version 1.1.4.1
  • Fix command breaking bug pointed out in this post.

So is this fix spesifically for WorldEdit and McMMO, or did you find a way to block all commands from other plugins whether they check for event cancellation or not?
(Either is fine for me, but later would be of course better)

E: Would also appreciate the functionality Sparx suggested, only spesific groups have to log in. Or maybe registration would be optional and you only needed to login if you have registered.

Theoretically it's supposed to block all commands besides those listed in the configuration file. What is does is hook into the PLAYER_COMMAND_PREPROCESS event, check if the player is logged in, if not it cancels the event and sets the command itself to just "/" so it does nothing. It's a pretty hacky way of doing it as I see no other way until all plugins check if the event is cancelled.

For those who understand Java:

Code:

String[] msg = event.getMessage().split(" ");

if (!plugin.isCmdAllowed(msg[0]))
    plugin.handleEvent(player, event);

if (event.isCancelled())
    event.setMessage("/");

Code:

public void handleEvent(Player player, Cancellable event)
{
    if (!sessionExists(player.getName()))
    {
         event.setCancelled(true);

         if (canNotify(player))
             notifyPlayer(player);
    }
}

Thanks for the quick fix!

It would be much better to specify only legal characters... Cause one time from console I seen something similar to Chinese letters...
Like:
LegalCharaters = 'a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,-,+,@,!,#,$,%,^,&,*,(,),[,{,],},:,;,.,/'

This is implemented and will be in the next update.

I am using xAuth, and I was sure that it would block commands from non logged-in users (I tried it out some time ago).

But yesterday, someone logged is as one of our moderators and banned everyone, without authorizing. I undid the bans and tried it out myself, and it actually didn't block any single command. What am I doing wrong?

Edit: Not happening anymore after server restart. No idea why this happened.

Sounds more like a hack

I looked at the server log, the only thing he did was trying to log in as other users. The plugin was working fine, the only thing that didn't was blocking commands.

Is it still working fine after you rebooted your server? If not, what commands can be used?

I was thinking SHA-2 (256 ought to be good enough), but Whrilpool seems promising as well. I'd just like to see something that isn't easily attacked. If a server managed to get really popular, and used a plugin similar to this, it could become an object of focus for some cybercrimes, and MD5 is no longer adequate to protect against that. Even with salting and hashing repeatedly.


Also, it might not be a bad idea to implement a minimum password complexity requirement that's adjustable in the config file (And could optionally be turned off). Though I see that as more of a nice feature to have than something that's necessary.

I'm liking the progress so far though.

I'll probably be making the switch from MD5 to Whirlpool within the next two updates. Whirlpool has been ready to use but I've been busy adding other features so I haven't had time to implement it. The password complexity requirement is good idea and I'll see about adding that.

An update to support the latest recommended build will also be available soon. I'll more than likely be releasing two versions of the update: one with all the new features that works for older builds and one with all the new features that works with the newer builds.