[Request] Whitelist style list of players that require MC.net auth

[stephen304]

I'm not sure if I should be posting this here, but the thread on bukkit is locked and this is the closest plugin to exactly what I need.

I run a server with mixed users (Premium and non -premium); I'm going to try to explain this as clearly as I can

I need a "premium.txt" where I can add player names. If a player that joins is in the "premium.txt" list, then their login is checked with mc.net. If it checks successfully, they can play immediately. If the check fails, they are kicked like a player would normally be kicked if a non premium player tried to play on an online mode server.

If the player is not in the "premium.txt", checking with mc.net is skipped and then they are asked to login if they are registered, or they are asked to register if their name hasn't been registered before. (and the name is taken from the client and not set by command)

The effect of this is to allow my premium players to play without any interruption or login other than normal while my non-premium players will have to set/enter a password.

The reason why I can't use what is currently in the plugin is because non-premium players will be able to log in as a premium players name and will be able to access chests. I hope you understand what I am asking for, and I hope it isn't too much to ask.

[Thulinma]

There's just one problem here:

Upon connect the server says to the client "I'm an online-mode server" or "I'm an offline-mode server". Then, afterwards, the client replies with the username of the client.

This order cannot be changed, as the client expects this order and will not work otherwise.

This means you have to decide if the player will be authorized in online or offline mode before receiving the player name. Thus, no changes can be made to the login process based on name. Based on IP address would be possible, but is not very reliable. Based on server port is another possibility (have a separate port to connect to in "premium mode"), but that is it.

How my plugin currently works is like this:

• Server sends "I am in online mode" and asks the client for a name + verification code.
• Server checks the verification code (MC.net login check), and if it is correct, allows the user normal access.
• If the check fails, it renames the user to player_[random number here] so they cannot pretend to be a premium user like you suggest in your request, then asks them for a name and password to login as, which results in a second rename if successful.

Hopefully you understand the limitations and possibilities. If you have any further questions, feel free to ask.

[stephen304]

Can a plugin check mc.net and authorize premium players or does it not have enough access/information to do this?

[Thulinma]

It can, but the client will only attempt a mc.net login right at the start of the connection, and only in online mode. So, doing this is possible but useless :-)

[stephen304]

Would this be possible?

• Server sends "I am in online mode" and asks the client for a name + verification code.
• Server checks the verification code (MC.net login check), and if it is correct, allows the user normal access.
• If it fails, it checks the premium.txt file. If the name is in the file, the user is kicked like users normally are if auth fails. If the name is not present, the user is allowed on as the name supplied earlier.

I hope this helps you understand what I am trying to do. It seems to me like this might work. Please tell me if I am missing something.

[Thulinma]

Yes, that can work. It doesn't add any extra security though (failed logins are already ALWAYS put in "guest mode" like all offline players normally are), and it will disable the support for playing on your account if the MC.net servers are down.

[stephen304]

The extra security comes from a player's name being in the premium.txt file, because if a non-premium player tried to log in as a premium player, the mc.net validation would fail, the plugin would see the name in premium.txt and the user would be kicked.

ie, users that are in premium.txt require login success with mc.net, while all other user names can fail with validation and still be able to play.

If you still don't get what I am trying to do, you said:

failed logins are already ALWAYS put in "guest mode"

I don't want failed logins to always go into guest mode. Failed mc.net validation should result in kick but ONLY IF the name is in premium.txt

[Thulinma]

Yeah, sure, that feature can be added. I'll see what I can do.

[stephen304]

Thanks soo much!

[stephen304]

I took a look at the checkserver.php and made it almost do exactly what I want. I made it check mc.net and return YES if mc.net returned YES, and if MC.net returned NOT YET, I had the script check the premium.txt file for the username. If it was found, the script returned NOT YET as well. If the username wasn't present, it returned YES, contrary to what mc.net returned.

I had the script part working fine, but I ran into a problem with the client. Even if the auth server (or my script) returns YES all the time, the client still has to send the hash and session Id to the mc servers. This is where I failed. The client tries to send the server's hash + session id to the minecraft server and the server does not return OK because since the user is not premium, the session ID is incorrect. Since this is a client sided issue, I don't see any solution with just php.

I did some more reading. If code can be inserted between the client->server handshake and the return server->client handshake (0x02) then online mode and offline mode can be switched on the fly depending on the username of the player. http://mc.kev009.com/Protocol#Handshake_.280x02.29

But now I'm wondering, if my cracked launcher fails on it's own accord with online mode servers, how do your non-premium players play on online mode servers with your plugin setup?

Here is the sequence of actions described on the Session page of this wiki: (http://mc.kev009.com/Session)

Client connects to server Server answers tcp connection request Client sends a 0x02 handshake containing the current player name Server receives a 0x02 handshake containing the client's player name Server generates a hash for this client (Or "-" (minus) is sent to indicate offline mode) Client receives a 0x02 handshake from the server containing a randomly generated hash, which is saves as serverId Client sends a HTTP request to http://session.minecraft.net/game/joinserver.jsp?user=&sessionId=&serverId= If the response is OK then continue, otherwise stop Client sends 0x01 login request Server receives a 0x01 login request from the client Server sends a HTTP request to http://session.minecraft.net/game/checkserver.jsp?user=&serverId= If it returns YES then the client is authenticated and allowed to join. Otherwise the client will/should be kicked with “Failed to verify username!” Server sends a 0x01 login request to the client Client receives a 0x01 login request ... send map chunks, etc...

[stephen304]

I finally understand how yours works. I am almost done with a replacement login/auth server in php that will allow my premium users to play normally, non premium users can play normally with 2 extra lines in the host file, and nobody can steal anyone's account.

I plan to have a couple options when I am done with it, mainly an option to require unpremium users to log in via the custon login script or only require valid login from premium usernames.

[Thulinma]

So basically an upgrade of legacy mode?

[stephen304]

Not really sure what you mean by that, but mine will require one of the following for non-premium users:

1. Cracked launcher with your client mod
2. Legit launcher with your client mod
3. Legit launcher with host file additions

Premium users must use the legit launcher (allowing premium on cracked would defeat the purpose)

And 2 modes:

1. Require everyone to log in using the launcher (not allowing cracked launcher + your client mod)
2. Allow Premium users normally and non-premium users after validating their username/password and checking that their username is non-premium

Effectively adding security for everyone, stopping account stealing, and not requiring any more effort for premium players and minimum effort for non-premium players.

[Thulinma]

Eh.... Isn't that exactly what my plugin does already? I must be missing something here.

[stephen304]

Your plugin has all this setting password stuff that I don't want to bother my users with. I don't want them to have to type in extra commands after joining to play. I just want the server to handle all the authentication and for it to all be transparent so that the users don't notice.

[Thulinma]

Oh, but that's only a one-time-per-player thing to create an account for when the MC login servers are offline. I can make an option to disable that feature, if that was all you wanted. Easy enough.

[stephen304]

I also don't need players to be renamed at all. After looking at how the communications work, I think it would be better fitted to my needs to use a host file/php solution, as I will not have to worry about compatibility (or any issues I might run into using a plugin) and I can also have my non premium users verified via the login box of the actual launcher.

[Thulinma]

Ah, of course. Yeah, that makes sense.

[stephen304]

So i guess this is closed.