elyby / accounts Goto Github PK

View Code? Open in Web Editor NEW

19.0 19.0 4.0 1.51 MB

Authentication service for the Ely.by and Minecraft

Home Page: https://account.ely.by

License: Apache License 2.0

PHP 99.05% Dockerfile 0.60% Shell 0.34%

accounts's People

Contributors

Stargazers

Watchers

Forkers

mrthursby striderghost theprimedev

accounts's Issues

Allow to login via E-mail when 2FA is enabled

^ the title.

Error when start Paper 1.12.2 with adding authlib

Do all what writed in https://docs.ely.by/en/minecraft-auth.html#paper-paperspigot

Loading libraries, please wait...
[00:15:43 INFO]: Environment: ElyEnvironment[name=ely,authHost=https://authserver.ely.by/auth,accountsHost=https://account.ely.by/api/mojang,sessionHost=https://account.ely.by/api/minecraft/session,servicesHost=]
[00:15:43 INFO]: [STDERR]: java.lang.NoSuchMethodError: com.mojang.authlib.yggdrasil.YggdrasilMinecraftSessionService.(Lcom/mojang/authlib/yggdrasil/YggdrasilAuthenticationService;)V
[00:15:43 INFO]: [STDERR]: at com.destroystokyo.paper.profile.PaperMinecraftSessionService.(PaperMinecraftSessionService.java:14)

Can't connect with Official MC

Made a PaperMC 1.16.5 build 470 server and applied authlib-2.0.27.5, commons-io-2.5 and commons-lang3-3.5.

Works fine with Ely.by accounts, but as soon as I try to join the server with an official MC account, the server drop a "Failed to verify username".

The console says:
Username <user> tried to join with an invalid session

Add authenticated OAuth applications management

Allow users to get list of authenticated applications and revoke access for some of them.

Automatic restoration of control over nickname for Mojang accounts

I think that there are very few such users, and it will be easier to do it all manually, but I will still describe what I mean.

The player on a special page submits a request, which contains the email and Mojang nickname.
The service sends to email a skin that is generated randomly (it is not selected from the library, it is generated).
The player installs the skin into their Mojang account and returns to the service to check if the skin is installed correctly.
If the skin is installed, it allows you to continue registration with this nickname. The player who previously had this account receives a letter stating that his nickname has been transferred to the ownership of the Mojang player.

UUID in response should not contain dashes

According to wiki.vg, the UUID in https://authserver.ely.by/auth/authenticate response should not contain dashes (-).

For example, the profile id in the response below should be 5a0dcde6806b4b7cbe5d08c9d74d86c7, not 5a0dcde6-806b-4b7c-be5d-08c9d74d86c7.

$ http post https://authserver.ely.by/auth/authenticate [email protected] password=****** clientToken=******
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy: default-src 'none';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/;img-src 'self' data: www.google-analytics.com;font-src 'self' data:;connect-src 'self' https://sentry.io https://sentry.ely.by;frame-src https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/
Content-Type: application/json; charset=UTF-8
Date: Mon, 15 Feb 2021 17:07:06 GMT
Server: nginx
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block

{
    "accessToken": "******",
    "availableProfiles": [
        {
            "id": "5a0dcde6-806b-4b7c-be5d-08c9d74d86c7",
            "legacy": false,
            "name": "yushijinhun"
        }
    ],
    "clientToken": "******",
    "selectedProfile": {
        "id": "5a0dcde6-806b-4b7c-be5d-08c9d74d86c7",
        "legacy": false,
        "name": "yushijinhun"
    }
}

https://authserver.ely.by/auth/refresh is also affected by this problem.

The OAuth flow does not support localhost/127.0.0.1 (or possibly custom port)

Why is this needed

For debug purposes

Steps to reproduce

Register app with redirect url = http://127.0.0.1:5000/ely/oauth
Visit https://account.ely.by/oauth2/v1?client_id=<your_id>&redirect_uri=http://127.0.0.1:5000/ely/oauth&response_type=code&scope=account_info
Critical error :(

Allow users to delete their accounts

Very frequently requested function.

But since the project is divided into several independent services, before we will delete an account, first we must notify the main site, which in turn will have to notify the Chrly service.

It is also necessary to consider protection against accidental removal.

The OAuth flow can't be finished by sending POST request with JSON-encoded body

The title ^

Rework E-mail changing flow

Allow users to change their E-mail without confirming their current one, but send to the old E-mail a message with a link to immediately restore access to the account.

Resolve "offline" UUIDs to correct players

We've had a number of PollyMC users complain that skins are not visible when using an authlib-injector+Ely.by client with an online-mode=false server: fn2006/PollyMC#107, fn2006/PollyMC#58. The authlib-injector client does attempt to load player skins from the API server even on online-mode=false servers, but it requests them via the player's "offline UUID" (derived from the player's username), and Ely.by responds with a 204 No Content.

What if Ely.by tried to find players by their "offline UUID" if the requested UUID can't be found? At least for the /sessionserver/session/minecraft/profile/<UUID> route used by the client to get player skins. I implemented this behavior in my authentication server: unmojang/drasl@e8537ea, and it seems to work well. I calculate and store the player's offline UUID everytime their username is changed, and then on some API routes, I fall back to looking up by offline UUID if the requested UUID can't be found.

Another, possibly better approach to solve the problem would be to modify authlib-injector to look up skins by player name in offline mode, like Ely.by's patched authlib seems to do. I've asked the developers about it, but they haven't gotten back to me yet.

Lost acess to email

So, i have an account named ANDREI12333 and the domain of the email expired so i can't change it anymore so can you guys change it for me please i proof is under this message.

Block mail domain seznam.cz

We received a lot of false-positive abuse reports for this mail service. To protect reputation of our domain I want to disallow to interact with this mailing service.

authlib-injector support

authlib-injector is a project that aims to provide an alternative to Mojang's authentication system, which is similar to ely.by. However, authlib-injector does not use a centralized authentication server. It provides specifications for implementing authentication APIs, and encourages people to create and deploy their own authentication servers. (some detailed description of this project)

I'm wondering if you can support authlib-injector.

no skin

Minecraft versions below 1.3 have no skins even though I have my own skin selected. Please help with this issue.

Unhandled exception when the OAuth2's code can't be decoded

Sentry Issue: ACCOUNTS-2

RangeException: Base64::decode() only expects characters in the correct base64 alphabet
  File "/var/www/html/vendor/paragonie/constant_time_encoding/src/Base64.php", line 206, in decode
    throw new \RangeException(
  File "components/Tokens/Component.php", line 111, in decryptValue
    $decoded = Base64UrlSafe::decode($encryptedValue);
  File "components/OAuth2/CryptTrait.php", line 23, in decrypt
    return Yii::$app->tokens->decryptValue($encryptedData);
  File "/var/www/html/vendor/league/oauth2-server/src/Grant/AuthCodeGrant.php", line 114, in respondToAccessTokenRequest
    $authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
  File "/var/www/html/vendor/league/oauth2-server/src/AuthorizationServer.php", line 198, in respondToAccessTokenRequest
    $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
...
(9 additional frame(s) were not displayed)

Cannot check premium state from authlib-injector

Hello, I am sorry if this is not the right place to ask, but I figured that this can only be fixed from ely.by side.

I recently tried authlib-injector to use ely.by as authentication method. Everything works perfectly until some plugins trying to check user premium state by querying /api/users/profiles/minecraft/

I tried to open the api endpoint from browser ( authserver.ely.by/api/users/profiles/minecraft/ ), it works as intended. But when i try it with authlib-injector in the server, the plugin that checks premium state throws error, because authlib-injector has different endpoint from what i see in the log ( authserver.ely.by/api/authlib-injector/api/users/profiles/minecraft/ )

here's the error log

[01:19:24 INFO]: [FastLogin] Handling player <user name>
[01:19:24 ERROR]: [FastLogin] Failed to check premium state for <user name>
java.io.FileNotFoundException: https://authserver.ely.by/api/authlib-injector/api/users/profiles/minecraft/<user name>
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1974) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1969) ~[?:?]
        at java.security.AccessController.doPrivileged(AccessController.java:738) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1968) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) ~[?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250) ~[?:?]
        at com.github.games647.craftapi.resolver.MojangResolver.findProfile(MojangResolver.java:179) ~[?:?]
        at com.github.games647.fastlogin.core.shared.JoinManagement.onLogin(JoinManagement.java:55) ~[?:?]
        at com.github.games647.fastlogin.bukkit.listener.protocollib.NameCheckTask.run(NameCheckTask.java:45) ~[?:?]
        at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1736) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:836) [?:?]
Caused by: java.io.FileNotFoundException: https://authserver.ely.by/api/authlib-injector/api/users/profiles/minecraft/<user name>
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1920) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) ~[?:?]
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527) ~[?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334) ~[?:?]
        at com.github.games647.craftapi.resolver.MojangResolver.findProfile(MojangResolver.java:164) ~[?:?]
        ... 6 more
[01:19:24 ERROR]: [FastLogin] Failed to check premium state of <user name>
java.io.FileNotFoundException: https://authserver.ely.by/api/authlib-injector/api/users/profiles/minecraft/<user name>
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1974) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1969) ~[?:?]
        at java.security.AccessController.doPrivileged(AccessController.java:738) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1968) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1536) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) ~[?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250) ~[?:?]
        at com.github.games647.craftapi.resolver.MojangResolver.findProfile(MojangResolver.java:179) ~[?:?]
        at com.github.games647.fastlogin.core.shared.JoinManagement.onLogin(JoinManagement.java:55) ~[?:?]
        at com.github.games647.fastlogin.bukkit.listener.protocollib.NameCheckTask.run(NameCheckTask.java:45) ~[?:?]
        at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1736) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:836) [?:?]
Caused by: java.io.FileNotFoundException: https://authserver.ely.by/api/authlib-injector/api/users/profiles/minecraft/<user name>
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1920) ~[?:?]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) ~[?:?]
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527) ~[?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334) ~[?:?]
        at com.github.games647.craftapi.resolver.MojangResolver.findProfile(MojangResolver.java:164) ~[?:?]
        ... 6 more

Possible fix : points https://authserver.ely.by/api/authlib-injector/api/ to https://authserver.ely.by/api/

Thank you !

SSL Certificate Expired! Urgent

The SSL certificate for the login server expired on Dec 17th 2022 so now it's not possible to log in via a minecraft launcher which supports ely.by login.

Profile info API

Can you implement https://mojang-api-docs.netlify.app/needs-auth/view-profile.html this API?

Cannot build Docker container: can't fetch Debian repos due to 404

The problem

The Docker container cannot be built as-is due to an error related to Debian repositories:

Developer Environment

I am running Windows 10 LTSC 2021 (19044). I installed PhpStorm via Toolbox, and PHP7 via the official archives. When I opened the project, PhpStorm suggested that it can download Composer and install the needed dependencies. After agreeing to that, a composer.phar file appeared, and IDE features started working correctly.
I also had WSL2 installed with Arch

A few days later, I needed to run the backend locally to test a session server fix. I installed Docker Desktop, left the WSL2 backend as the default. Firstly, I ran the cp commands at the top of the guide. When I tried to run docker-compose up -d. I ran into an error shown on the screenshot above.

Retrieving a Minecraft profile with no skin returns an empty array instead of an empty object

When retrieving a Minecraft profile using /api/minecraft/session/profile/<UUID>, the Base64-encoded texture information will have an empty array in the textures field if the user did not set a skin on the website and there's no Mojang account to proxy a skin from. However, the Mojang implementation always returns an empty object and launchers that explicitly check that it's an object will fail to add the profile until the user has set a skin