search

PaperMC / Velocity

The modern, next-generation Minecraft server proxy.
https://papermc.io/software/velocity
GNU General Public License v3.0
1.77k stars 623 forks source link

UUID Spoofing / Swapping? #15

Closed ryantheleach closed 6 years ago

ryantheleach commented 6 years ago

It's been a long standing goal of mine to be able to swap between 'profiles' for a given online account.

Usecase 1 - Staff Switching

E.g. ryantheleach owns 1 Mojang account, and has authenticated. He is a junior staff member on a server. He is in highschool, so can't afford a second account.

Our server network prefers to audit staff actions, and to make that easier, requires that all staff members have a staff account, that has completely different permissions, and mode of play. Actions taken by staff members are audited for fair play.

Spoofing UUID's of authenticated accounts, would allow junior staff member ryantheleach to play normally on the server, as well as administrating the server, without constantly flagging false positive's in the audit log, as if he had 2 accounts on the server.

Usecase 2 - User Mode Switching

It would also enable interesting gameplay, being able to swap from a "Engineer" on a build server, that builds dungeons for other users, and an "Adventurer" who runs dungeons of other Engineers. without conflating the native in-built statistics of Minecraft.

In order for both of these to work effectively, and present themselves as completely different profiles to plugins, the far 'easiest' solution is just to swap the UUID/profile completely. Custom Plugins that need to be aware of the online owner of the account, could query it via an API.

Usecase 3 - Offline/Legacy UUID's

Instead of migrating a large amount of UUID's or accidentally creating 2 profiles for offline/lan use and Online authentication, first class support for online/offline mapping would allow offline users to connect to their normally online mode server in a LAN scenario, as well as promoting offine/LAN servers back to online mode.

Usecase 4

This would have the unintended side-effect of making mixed mode authentication easier, should auth servers go down, But would not completely allow it. as you could restrict the feature to authenticated accounts only.

I fully understand if you instantly close this ticket, as it's very close to enabling cracked server authentication via the proxy, But my instinct is people will do this anyway so we may as well enable the feature for those that could use it in positive ways, or Libraries that need multiple profiles for shared computers.

astei commented 6 years ago

I feel as if this is too niche of a feature to include in Velocity, at least right now. Support for this might be added down the line, but for the moment I don't think we should consider it, especially with Velocity not even being fully feature-complete just yet.

ryantheleach commented 6 years ago

I understand, If I took the development effort later down the line, would you be receptive to accepting it?

I realize at the current stage of maturity, that it's unwanted.

astei commented 6 years ago

If you did, we would be receptive to it, yes.