search

games647 / FastLogin

Checks if a minecraft player has a valid paid account. If so, they can skip offline authentication automatically. (premium auto login)
https://www.spigotmc.org/resources/fastlogin.14153
MIT License
494 stars 121 forks source link

Locks players out of their server specific account #648

Open ZenoCoding opened 2 years ago

ZenoCoding commented 2 years ago

What happened?

When I added fastlogin to the server, hoping to create a good experience for cracked and premium users, this is not what I got.

I tried to mark my account as premium (as I do own the account), not realizing that somehow, fast login had marked me as a separate UUID, marking my actual account with player data invalid. After several attempts at completely getting rid of offline mode and the authentication system, as well as the player data with the fake UUID, I am still locked out of my account. realizing

What did you expect?

The plugin should look at Mojang's authentication servers or use an API to check whether the account is premium and if so, log it in and mark it that way. If it's not, then don't mark it. Especially, the plugin shouldn't create a new uuid for users that join.

Steps to reproduce

Add fastlogin and authme to your server.

Join the server.

Log out (not sure that this is necessary).

Log in

Type /premium twice.

Get locked out of your account and create several security issues.

Plugin list

AdvancedNMotd, AuthMe, CoreProtect, CustomPolls, DiscordSRV, Essentials, EssentialsChat, EssentialsSpawn, FastAsyncWorldEdit (WorldEdit), floodgate, Geyser-Spigot, Graves, InvSeePlusPlus, LocketteX, LuckPerms, PlaceholderAPI, PlugMan, ProtocolLib, QuickShop, SimpleStaffChat, TAB, Terra, TradeSystem, Vault, ViaBackwards, ViaRewind, ViaVersion, WorldGuard, WorldGuardGUI

Configuration file

No response

Server log

I deleted the config, in an attempted to wipe the innacurate uuid. The only thing that i touched was trying to set the auto login feature to true.

Plugin version

v3.1

Platform

Spigot

Relevance

games647 commented 2 years ago

fast login had marked me as a separate UUID

Depending on your configuration, if you login with a onlinemode connection, the premium UUID will be used. This could cause switching inventory data and permissions. This is also stated in the configuration file and is disabled by default.

I am still locked out of my account.

Login plugins are not connected to the UUID. So the account stays the same.

and if so, log it in and mark it that way. If it's not, then don't mark it

This is a seperate issue. There is already an open issue with validating the premium request with a rejoin.

Get locked out of your account and create several security issues.

Interesting. What security issues do you have in mind? Your descriptions sounded differently. This issue is more about not find the correct user data, but having the same account.

ZenoCoding commented 2 years ago

See- I'm not sure why it had marked me as a separate UUID, because I had never logged in using a cracked account, and I had simply logged in twice. But while my Minecraft UUID is actually "5b7a1960-578e-40f9-8690-505da4df0c56"

It registers as "a58965fd-05fc-3554-9ff5-0eb37fa016a6" even after trying to get rid of all links from that.

It isn't really a "security" issue - but the issue that seems to be the problem is that players can lose all their stuff just by marking themselves as premium, whether they are or not.

Thankfully I have since then gotten rid of the plugin, but it seems pretty cool, and would be a nice addon to my server, so If I could get it working then that would be great.

ZenoCoding commented 2 years ago

Tested on a copy of the server before I added the plugin- everything is fine and I have the right uuid.

games647 commented 2 years ago

It registers as "a58965fd-05fc-3554-9ff5-0eb37fa016a6" even after trying to get rid of all links from that.

a58965fd-05fc-3554-9ff5-0eb37fa016a6 - [1]

That's exactly your offline UUID. If you want to keep your premium UUID, you just have to enable that configuration option. If you are connection through an online mode connection it will keep that premium UUID.

It isn't really a "security" issue - but the issue that seems to be the problem is that players can lose all their stuff just by marking themselves as premium, whether they are or not.

No it's the reverse actually. If you convert your server from offline mode to hybrid using a default configuration, everyone will keep their old offline mode UUID. All players even after verifying will use the offline UUID even though the premium is available, but it won't be used to keep using the old account data like the inventory.

Note this is from offline mode to hybrid. While with a server that is converting from premium mode to hybrid might want to enable premium UUID like in your case to keep accessing the existing inventory data that is accessible from the premium UUID.

but the issue that seems to be the problem is that players can lose all their stuff just by marking themselves as premium, whether they are or not.

That's exactly why the premiumUUID configuration option exists. It can be set depending on your use case.

[1] UUID.nameUUIDFromBytes(("OfflinePlayer:" + "Zqnqx").getBytes(StandardCharsets.UTF_8)) Minecraft's code for offline UUIDs

ZenoCoding commented 2 years ago

Ok, I've done all of that, but is there a way to transfer the data when the user runs /premium when they already have stuff? and they aren't getting automatically marked as premium when they join.

ZenoCoding commented 2 years ago

So, I've done some thinking, and hybrid shouldn't really use the premium UUID... so I'm not sure what to do, because it would be better to have it offline uuid for future players, but all players that have marked themselves as premium would get wiped...

games647 commented 2 years ago

Ok, I've done all of that, but is there a way to transfer the data when the user runs /premium when they already have stuff?

This is quite complicated. The UUID should be uniquely associated by definition. This is a planned feature since a long time, but while it's quite easy to convert Minecraft vanilla data like inventory, position, etc. it's a lot of work for other plugins. It requires an kind of integration for every plugin that operates on player data to convert it's datastore, because it assumed it already is unique.

and they aren't getting automatically marked as premium when they join.

This also depends on your configuration. There is a configuration option for that, but the default option was chosen to keep it deactivated. This design decision was made, because new players would directly assumed to be premium at first. If it happens to be a cracked player, they will see the message "Invalid session - Please restart your client". This message is client-side. For more details take a look at the corresponding FAQ question.

nd hybrid shouldn't really use the premium UUID

As always it depends... notably name changes would then also mean another datastore entry.

but all players that have marked themselves as premium would get wiped...

If you come from offline mode, the data will be the same. FastLogin will override the premium UUID to the offline UUID if configured.