search

AuthMe / AuthMeReloaded

The best authentication plugin for the Bukkit/Spigot API!
https://www.spigotmc.org/resources/authmereloaded.6269/
GNU General Public License v3.0
624 stars 515 forks source link

2FA: "/2fa code/confirm <code>" should not be logged in the console [Suggestion] #1703

Open austinhuang0131 opened 5 years ago

austinhuang0131 commented 5 years ago

Before reporting an issue make sure you are running the latest build of the plugin and checked for duplicate issues!

yes

What behaviour is observed:

Console logs /2fa code/confirm <code> message as usual.

What behaviour is expected:

Console logs something like "2fa success" instead of exposing the code, just like how /login is treated in the console. I'm not saying I don't trust my OPs but I just think it's necessary.

Steps/models to reproduce:

You login using 2fa.

Plugin list:

n/a

Environment description

Spigot 1.13.2 @ Linux

AuthMe build number:

v5.5.1-SNAPSHOT (build: 2181)

Error Log:

n/a

Configuration:

n/a

lifehome commented 5 years ago

This indeed should not appear anywhere, but since it is still a chat event, it could be catched by plugins(i.e. Prism-Bukkit) that log player commands. Further, the 2FA code should only be used once, so it's less sensitive than a password.

sgdc3 commented 5 years ago

This indeed should not appear anywhere

We can just hide it from the server log, better than nothing