Getting lots of invalid password errors

[EchoesNetwork]

So recently I’ve been getting lots of invalid password/blacklisted IP errors on multiple different devices on many different IPs when trying to use MCC. My passwords are definitely right, I think something has just changed with logins maybe? Here is the output with debug messages enabled.

< HTTP/1.1 403 Forbidden
< Server: CloudFront
< Date: Sun, 05 May 2019 21:31:19 GMT
< Content-Type: text/html
< Content-Length: 560
< Connection: close
< X-Cache: Error from cloudfront
< Via: 1.1 0f653303bc95b26f01daff2926667902.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: GzVPXodBY5xdELFE7gFrXKqZHbrZVk948gwo1Vxon08UT9PD-AtjrA==
< 
< <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
< <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
< <TITLE>ERROR: The request could not be satisfied</TITLE>
< </HEAD><BODY>
< <H1>403 ERROR</H1>
< <H2>The request could not be satisfied.</H2>
< <HR noshade size="1px">
< Request blocked.
< 
< <BR clear="all">
< <HR noshade size="1px">
< <PRE>
< Generated by cloudfront (CloudFront)
< Request ID: GzVPXodBY5xdELFE7gFrXKqZHbrZVk948gwo1Vxon08UT9PD-AtjrA==
< </PRE>
< <ADDRESS>
< </ADDRESS>
< </BODY></HTML>

For reference I’m using the first build of MCC with terrainandmovements enabled for 1.14. It only happens sometimes and only with certain accounts.

[ORelio]

Thank you for submitting a detailed report with debug trace of the HTTP response. It seems like the login servers have some security measures enabled on Amazon CloudFront.

However, it is nothing new that Mojang limits login attempts per IP addresses and providers. See #634, #590 and #567. It is possible that they now also limit logins per account, with an independant rate-limit than per-IP attempts. Normal users are expected to have very few accounts, login very few since session is cached afterwards, and likely use few different IP addresses for their accounts, hence the limits. Anything that differs from can be considered suspicious and may be blocked automatically.

The only thing you can do is performing as less login attempts as possible, by making sure you have sessioncache=true in config. This enables the same behavior as vanilla Minecraft launcher, which is to perform a regular login on first use, and session refresh on all subsequent uses. Session refreshes are usually less restricted as they are expected to happen often.

For more details of how login works, you can have a look at https://wiki.vg/Authentication Anyway, I don't think that login rate-limiting can be fixed on our side.

[EchoesNetwork]

I found a workaround. For anyone wondering, the issue is with ALL OVH servers hosted in Canada; the range of IPs OVH uses for its machines in Beauharnois have all been blacklisted by Mojang. Luckily OVH offers VPSs hosted in France and Germany and a couple other places. Hopefully those aren't blacklisted too!

[ORelio]

Indeed, some VPS providers are blacklisted, the same way as VPN providers. You may perform the login at home, then place your session information on the VPS.