player authentication via tokens

[TehBrian]

Currently, anything can send note requests for any player on the server without authentication. This poses a huge security (and annoyance) risk. There should be some form of authentication to prevent player notes from being accepted from any sender but themself. There are a variety of ways that we could handle this.

1. Grab the IP of the note request's sender and ensure that it is the same as the IP of the player.
   • Con: This method would prevent proxies from being used. Additionally, if the user is connecting on a device using a different IP address than what they're connecting to the server with (e.g. a phone on a cell tower), the IPs won't match either.
   • Pro: No player setup required.
2. Via some command, send the player a unique "token" (password) which they must enter on the web interface (or send with each request) which would then be checked against.
   • Con: Requires player setup.
   • Pro: Virtually foolproof, easy to use and understand, and can work on any device.

Another question is, should authentication even be handled by mcmidi/server, or should it be left up to individual plugins depending on mcmidi to implement authentication themselves?

[TehBrian]

IP address matching is a no-go. Use a token. mcmidi/server should handle it; leaving each listener to re-roll authentication sucks and breaches the note event API.