Bypass permission does not work

[john01dav]

Hello,

I am currently trying to setup a server where two factor authentication is mandatory for staff members, but seemingly non-existent to players. I feel this provides a good balance of security and usability. I attempted to create this by giving all players the flexiblelogin.bypass permission, and denying this permission for staff members. I enabled the "bypassPermission" setting in the config.conf file. When this didn't work, with all players being subject to "/register" spam upon join, I enabled the "playerPermissions" setting, which had no effect. I have verified multiple times that the flexiblelogin.bypass permissions is correctly assigned.

How can I ensure that all staff members are protected via 2fa, but that non-staff players aren't bothered by it?

LuckPerms Version: 3.4.52 FlexibleLogin Version: 0.16.2 SpongeForge Version: 1.12.2-2529-7.0.0-BETA-2730 Modpack: FTB Horizons III

FlexibleLogin Config:

bypassPermission=true
# Should only the specified commands be protected from unauthorized access
commandOnlyProtection=false
# Email configuration for password recovery
emailConfiguration {
    # Username for the account you want to the email from
    account=""
    # Is password recovery using an email allowed
    enabled=false
    # Mail server
    host="smtp.gmail.com"
    # Password for the account you want to the email from
    password=""
    # SMTP Port for outgoing messages
    port=465
    # Displays as sender in the email client
    senderName="Your minecraft server name"
    # Email subject/title

    subject="Your new Password"
    # Email contents. You can use HTML here
    text="New password for %player% on Minecraft server %server%: %password%"
}
# Algorithms for hashing user passwords. You can also choose totp
hashAlgo=totp
# Should the plugin login users automatically if it's the same account from the same IP
ipAutoLogin=false
# Custom command that should run after the user tried to make too many attempts
lockCommand=""
# How many login attempts are allowed until everything is blocked
maxAttempts=3
# How many accounts are allowed per ip-addres. Use 0 to disable it
maxIpReg=0
# Interval where the please login will be printed to the user
messageInterval=2
# The user should use a strong password
minPasswordLength=4
# Should this plugin check for player permissions
playerPermissions=true
# If command only protection is enabled, these commands are protected. If the list is empty all commands are protected
protectedCommands=[
    op,
    pex
]
# Teleport the player to a safe location based on the last login coordinates
safeLocation=true
# Database configuration
sqlConfiguration {
    # Database name
    database=flexiblelogin
    # Password in order to login
    password=""
    # Path where the database is located. This can be a file path (h2/SQLite) or an IP/Domain (MySQL/MariaDB)
    path="%DIR%"
    # Port for example MySQL connections
    port=3306
    # SQL server type. You can choose between h2, SQLite and MySQL/MariaDB
    type=H2
    # It's strongly recommended to enable SSL and setup a SSL certificate if the MySQL/MariaDB server isn't running on the same machine
    useSSL=false
    # Username to login the database system
    username=""
}
teleportConfig {
    coordX=0
    coordY=0
    coordZ=0
    # Should the plugin use the default spawn from the world you specify below
    defaultSpawn=false
    enabled=false
    # Spawn world or let it empty to use the default world specified in the server properties
    worldName=""
}
# Number of seconds a player has time to login or will be kicked.-1 deactivates this features
timeoutLogin=60
# Should the plugin save the login status to the database
updateLoginStatus=false
# How seconds the user should wait after the user tried to make too many attempts
waitTime=300

[ziceptor]

@games647, when do you plan to fix this?

[john01dav]

@games647 Do I need to write my own plugin, since yours apparently doesn't work?

[ljacqu]

Do I need to write my own plugin

"What is a pull request"