games647 / flexiblelogin Goto Github PK

View Code? Open in Web Editor NEW

88.0 12.0 23.0 803 KB

A Sponge minecraft server plugin for second factor authentication

Home Page: https://forums.spongepowered.org/t/8872

License: MIT License

Java 100.00%

cracked minecraft sponge 2fa authentication auth security plugin mod

flexiblelogin's Introduction

FlexibleLogin

Security advisories:

These contains a list of security fixes for transparency. This should get you informed quickly and deploy patched versions promptly.

ID	Severity	Affected	Patched	Impact + Relevance	References
1	Moderate	FlexibleLogin between 0.18 and 0.18.1	SpongeForge > RC4005 or in FlexibleLogin 0.18.1 is a workaround	Exploit for inventory duplication if not logged in (ex: survival servers)	Introduced, Fixed Sponge, Workaround
2	High	FlexibleLogin between 0.16 and 0.16.5	FlexibleLogin 0.16.5	Change password command permission check (If command usage is allowed)	Introduced, Fixed

Details:

SpongeCommon introduced a bug for not capturing the inventory changes on crafting with number press usage. This allows inventory item duplication in combination with FlexibleLogin if the user is not logged in. Sponge fixed in the mentioned above build and commit. So you should update your server version. If that's not possible, FlexibleLogin 0.18.1 includes a workaround. Alternative you could remove the inventory until the player logs in.
FlexibleLogin had an incorrect permission check for using the change password command. This allowed unauthorized players to use the command. There is no known usage that this was actively used.

If you have any questions or comments about this advisories, please:

Open a issue
Send a private message on the Sponge Forums

Description

A Sponge Minecraft server plugin for second authentication. It has a built-in TOTP support.

Do you want to let your players protect their account (from hackers/login stealer) and keep playing while the session server is down. You can use this little plugin. You can protect your account with a password you choose or with a time based password created from a secret key, generated just for you.

Requirements

Sponge 7.1+
Java 8+

Language

This plugin has configurable language files. By default it only ships the english version of it, but there are community driven templates on the wiki page: https://github.com/games647/FlexibleLogin/wiki

Commands

User commands:
/reg /register <password> <password> - Registers using a specific password
/register - Generates your secret code for TOTP
/changepw /cp /changepassword <password> <password> - Changes your current password
/log /l /login <password|code> - Login using your password or time based code
/logout - Logs you out
/mail /setemail - Sets your mail address
/forgot /forgotpassword - Sends a recovery mail to the mail address
/unregister <uuid|name> - delete an account

Admin commands: (you can use /flexiblelogin as an alias) 
/fl <reload|rl> - reloads the config
/fl forcelogin <name> - Force login the user
/fl <accounts|acc> <name|ip> - Get list of user accounts
/fl <unregister|unreg> <name|uuid|--all> - Deletes the account of a user or all using the -a flag
/fl <register|reg> <name|uuid> <pass> - Register the user with a specific password
/fl <resetpw|resetpassword> <name> - Sets a new temp password for a new user

Permissions

flexiblelogin.admin - Permission to delete accocunts
flexiblelogin.command.login - Use the /login command
flexiblelogin.command.logout - Use the /logout command
flexiblelogin.command.changepw - Use the /changepassword command
flexiblelogin.command.register - Use the /register command
flexiblelogin.command.mail - Use the /setemail command
flexiblelogin.command.forgot - Use the /forgot command
flexiblelogin.no_auto_login - Players with this won't be auto logged in by the ip auto login feature
flexiblelogin.bypass - Users who have this permission can skip authentication

Config

# Should unregistered player be able to join the server?
allowUnregistered=true
# Do you allow your users to skip authentication with the bypass permission
bypassPermission=false
# Should the player name always be case sensitive equal to the time the player registered?
caseSensitiveNameCheck=true
# Should only the specified commands be protected from unauthorized access
commandOnlyProtection=false
# Email configuration for password recovery
emailConfiguration {
    # Username for the account you want to the mail from
    account=""
    # Email contents. You can use HTML here
    contentTemplate {
        arguments {}
        closeArg="}"
        content {
            text="New password for Builder{name=player, optional=true} on Minecraft server Builder{name=server, optional=true}: Builder{name=, optional=true}"
        }
        openArg="{"
        options {
            closeArg="}"
            openArg="{"
        }
    }
    # Is password recovery using an mail allowed
    enabled=false
    # Mail server
    host="smtp.gmail.com"
    # Password for the account you want to the mail from
    password=""
    # SMTP Port for outgoing messages
    port=465
    # Displays as sender in the mail client
    senderName="Your Minecraft server name"
    # Email subject/title
    subjectTemplate {
        arguments {}
        closeArg="}"
        content {
            text="Your new Password"
        }
        openArg="{"
        options {
            closeArg="}"
            openArg="{"
        }
    }
}
# Algorithms for hashing user passwords. You can also choose totp
hashAlgo=bcrypt
# Should the plugin login users automatically if it's the same account from the same IP
ipAutoLogin=false
# Custom command that should run after the user tried to make too many attempts
lockCommand=""
# How many login attempts are allowed until everything is blocked
maxAttempts=3
# How many accounts are allowed per ip-address. Use 0 to disable it
maxIpReg=0
# Interval where the please login will be printed to the user
messageInterval=2
# The user should use a strong password
minPasswordLength=4
# Should this plugin check for player permissions
playerPermissions=false
# Experimental feature to protect permissions for players who aren't logged in yet
protectPermissions=false
# If command only protection is enabled, these commands are protected. If the list is empty all commands are protected
protectedCommands=[
    op,
    pex
]
# Teleport the player to a safe location based on the last login coordinates
safeLocation=false
# Database configuration
sqlConfiguration {
    # Database name
    database=flexiblelogin
    # Password in order to login
    password=""
    # Path where the database is located. This can be a file path (h2/SQLite) or an IP/Domain (MySQL/MariaDB)
    path="%DIR%"
    # Port for example MySQL connections
    port=3306
    # SQL server type. You can choose between h2, SQLite and MySQL/MariaDB
    type=H2
    # It's strongly recommended to enable SSL and setup a SSL certificate if the MySQL/MariaDB server isn't running on the same machine
    useSSL=false
    # Username to login the database system
    username=""
}
# Should the plugin don't register alias /l (used by some chat plugins) for /login command 
supportSomeChatPlugins=false
teleportConfig {
    coordX=0
    coordY=0
    coordZ=0
    # Should the plugin use the default spawn from the world you specify below
    defaultSpawn=false
    enabled=false
    # Spawn world or let it empty to use the default world specified in the server properties
    worldName=""
}
# Number of seconds a player has time to login or will be kicked.-1 deactivates this features
timeoutLogin=60
# Should the plugin save the login status to the database
updateLoginStatus=false
# Regular expression for verifying validate player names. Default is a-zA-Z with 2-16 length
validNames="^\\w{2,16}$"
# How seconds the user should wait after the user tried to make too many attempts
waitTime=300

Downloads

https://github.com/games647/FlexibleLogin/releases

Development builds

Development builds of this project can be acquired at the provided CI (continuous integration) server. It contains the latest changes from the Source-Code in preparation for the following release. This means they could contain new features, bug fixes and other changes since the last release.

Nevertheless builds are only tested using a small set of automated and a few manual tests. Therefore they could contain new bugs and are likely to be less stable than released versions.

https://ci.codemc.org/job/Games647/job/FlexibleLogin/changes

Screenshots:

TOTP Key generation (/register)

TOTP App

You can see there a time generated code which can be used for the login process. /login <code> Additionally it display your user account name and the server ip.

Apps (Open-Source only)

IOS

Authenticator AppStore
FreeOTP AppStore

Android

andOTP F-Droid PlayStore
Yubico Authenticator F-Droid PlayStore
- Requires YubiKey hardware token
OnlyKey U2F PlayStore
- Requires OnlyKey hardware token

Desktop (Linux, Mac, Windows):

YubiKey Authenticator Download
- Requires YubiKey hardware token
NitroKey App Download
- Requires Nitrokey hardware token
OnlyKey App Chromium Store
- Requires OnlyKey hardware token

flexiblelogin's People

Contributors

Stargazers

Watchers

flexiblelogin's Issues

[Suggestion] Hide player's inventory when not logged in.

Title.

Change login alias from /l -> /log

I see you worked on the plugin. But don't put the jar file. Plan something else to add or just forgot?

Server crashing on failed user login

Running:
Flexible Login 12.3
Sponge API: 5.1.0 Snapshot 6459642
SpongeForge 1.10.2-2221-5.1.0 Beta 2142
MinecraftForge 12.18.3.2221

EDIT:
Removed config for space

v.0.9.1 breaks database from v.0.8 and earlier

When I use the latest version it deletes the current database and requires everyone to re-register again.

AuthMe compatibility

Hello,

Can I ask you about AuthMe DB compatibility? I want to run new server on SpongeForge for 1.10.2, but I have to use AuthMe 'cause of web login connected with game. And on other servers I can't run Sponge.

textConfiguration is not complete

I can't change the text string "logged in" and string "Type /register or /login to login in" on the textConfiguration

Remove the "plugin" parameter from all constructors.

public LoginCommand(FlexibleLogin plugin) {
        this.plugin = plugin;
    }

Look at this constructor. The plugin parameter should not be needed, as I have FlexibleLogin.getInstance() for this reason.

The suggestion for a reload command

I suggest to add a command to reload the config file. I trust it will be more convienient to edit the config file.

Some Errors

http://pastebin.com/iRSSkjbN

Account Lockout

Just like any website / email:

If a user attempted more than the allowed amount of tries (config option) it will tempban the account for X amount of time (config option)

Logout and then Login will be teleported into room

Hello, when I stand on front of a iron_door, and I logout and then login, I am teleported into the room! The situation is that Iron_door and me are on the same block, door is on the north size of the block, then I am teleported to the north size block of the door. But not using FlexibleLogin will be normal. my version is spongevanilla-1.8.9-4.2.0-BETA-343, spongevanilla-1.8.9-3.1.0-BETA-248, both of them the same bug!

Reload command problem

The admin command problem:

When I use:
/flexiblelogin reload

Console show me this:
Not enough arguments!
Usage: /flexiblelogin <account> resetpw|reload|unregister|register

Need a account name?! What is the relationship between "reload" and "account"?
So I think the Reload command should be independent.

Lock account while logged in?

Some users are being douche bags and are logging into players who are already logged in which causes them to be kicked, can a command be added to /lockaccount which won't let anyone else login while they are authenticated?

Installation instructions

Hi,

Would you mind providing installation instructions?

I have placed the FlexibleLogin plugin in the mods directory of the Forgeserver in which also Sponge is placed, sponge gets registered during start, but the plugin does not and no configuration file is generated.

Kind regards

Login fails

A message appears on successful login. You can play, run commands... But after a few seconds automatically exit and the message that the time for entry has expired.

timeoutLogin=50

People can drop items before they login into the account

#34 (comment)
The problem is still existing. Now, if people use "q" to try to drop some items before login, items will not be dropped on the ground, but items will be deleted.

FlexibleLogin Ignores Bypass Permission in LuckPerms

Hello,

I am using FlexibleLogin with LuckPerms on Sponge with the FTB Infinity modpack. When I give my users the flexiblelogin.bypass permission, although they are not spammed with the /register message, they still get kicked after the login timeout. I would like to only require staff members to /register and to disable it for regular users.

Screenshot of default group's permissions:

Versions:
Luckperms: v3.0.41
Minecraft: 1.10.2
SpongeAPI: 5.2.0-SNAPSHOT-a3257a0
SpongeForge: 1.10.2-2254-5.2.0-BETA-2230
Minecraft Forge: 12.18.3.2254
FlexibleLogin: 0.12.3

[Suggestion] Some details.

When a player in a state that is already logged in, then he uses the /login command again, why is it still prompted "Logged in"? I think it should be prompt: Please do not repeat the login. :P
If a player uses /logout, why there is no "Not logged in. Type /login ........." prompt?

Version for API 4.x

Since it looks like API 5 won't be stable for some time, and players can run command, chat, move around which is a huge issue

Error feedback

FlexibleLogin v0.9.2
spongeforge-1.8.9-1890-4.2.0-BETA-1653
forge-1.8.9-11.15.1.1902-1.8.9-universal

[03:39:42] [Server thread/ERROR] [Sponge/]: Could not pass ClientConnectionEvent$Disconnect$Impl to org.spongepowered.mod.plugin.SpongeModPluginContainer@5e395b5f
java.lang.NullPointerException
    at java.util.concurrent.ConcurrentHashMap.replaceNode(Unknown Source) ~[?:1.8.0_101]
    at java.util.concurrent.ConcurrentHashMap.remove(Unknown Source) ~[?:1.8.0_101]
    at com.github.games647.flexiblelogin.listener.ConnectionListener.onPlayerQuit(ConnectionListener.java:53) ~[ConnectionListener.class:?]
    at org.spongepowered.common.event.listener.DisconnectListener_ConnectionListener_onPlayerQuit31.handle(Unknown Source) ~[?:?]
    at org.spongepowered.common.event.RegisteredListener.handle(RegisteredListener.java:95) ~[RegisteredListener.class:1.8.9-1890-4.2.0-BETA-1653]
    at org.spongepowered.mod.event.SpongeModEventManager.post(SpongeModEventManager.java:201) [SpongeModEventManager.class:1.8.9-1890-4.2.0-BETA-1653]
    at org.spongepowered.mod.event.SpongeModEventManager.post(SpongeModEventManager.java:184) [SpongeModEventManager.class:1.8.9-1890-4.2.0-BETA-1653]
    at org.spongepowered.mod.event.SpongeModEventManager.post(SpongeModEventManager.java:229) [SpongeModEventManager.class:1.8.9-1890-4.2.0-BETA-1653]
    at org.spongepowered.mod.event.SpongeModEventManager.post(SpongeModEventManager.java:214) [SpongeModEventManager.class:1.8.9-1890-4.2.0-BETA-1653]
    at org.spongepowered.common.SpongeImpl.postEvent(SpongeImpl.java:129) [SpongeImpl.class:1.8.9-1890-4.2.0-BETA-1653]
    at net.minecraft.network.NetHandlerPlayServer.redirect$onDisconnectHandler$0(NetHandlerPlayServer.java:439) [lm.class:?]
    at net.minecraft.network.NetHandlerPlayServer.func_147231_a(NetHandlerPlayServer.java:704) [lm.class:?]
    at net.minecraft.network.NetworkManager.func_179293_l(NetworkManager.java:449) [ek.class:?]
    at net.minecraft.network.NetworkSystem.func_151269_c(NetworkSystem.java:183) [ll.class:?]
    at net.minecraft.server.MinecraftServer.func_71190_q(MinecraftServer.java:724) [MinecraftServer.class:?]
    at net.minecraft.server.dedicated.DedicatedServer.func_71190_q(DedicatedServer.java:344) [ko.class:?]
    at net.minecraft.server.MinecraftServer.func_71217_p(MinecraftServer.java:605) [MinecraftServer.class:?]
    at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:481) [MinecraftServer.class:?]
    at java.lang.Thread.run(Unknown Source) [?:1.8.0_101]

Register/login notice does not come up on unregistered users' appearance

Using 0.4.1.

[20:27:54] [pool-2-thread-1/ERROR] [Sponge]: The Scheduler tried to run the task flexiblelogin-A-0 owned by Plugin{id=flexiblelogin, name=FlexibleLogin, version=0.4}, but an error occured.
java.lang.NullPointerException
        at com.github.games647.flexiblelogin.listener.PlayerConnectionListener.lambda$onPlayerJoin$0(PlayerConnectionListener.java:34) ~[PlayerConnectionListener.class:?]
        at org.spongepowered.api.scheduler.Task$Builder.lambda$execute$9(Task.java:138) ~[Task$Builder.class:1.8-1577-3.0.0-BETA-1000]
        at org.spongepowered.common.scheduler.SchedulerBase.lambda$startTask$55(SchedulerBase.java:177) ~[SchedulerBase.class:1.8-1577-3.0.0-BETA-1000]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_66]
        at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_66]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_66]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_66]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_66]

auto login

ipAutoLogin=true
Stopped working! For all. Requires login.

forge-1.11-13.19.1.2195-universal.jar
spongeforge-1.11-2195-6.0.0-BETA-2004.jar
FlexibleLogin.jar latest

Empty MYSQL login details

I have filled config user and password, but It looks like empty during startup so I cannot connect to database.

My config:
http://pastebin.com/YhGmsEeg

FML log:
http://pastebin.com/rMieAHCw

Error starts on line 1195

Error feedback

[00:26:38] [Server thread/ERROR] [Sponge/sponge]: Could not pass FMLInitializationEvent to org.spongepowered.mod.plugin.SpongeModPluginContainer@64b0774
java.lang.NoClassDefFoundError: org/spongepowered/api/event/entity/DisplaceEntityEvent$TargetPlayer
at java.lang.Class.getDeclaredMethods0(Native Method) ~[?:1.8.0_101]
at java.lang.Class.privateGetDeclaredMethods(Unknown Source) ~[?:1.8.0_101]
at java.lang.Class.privateGetPublicMethods(Unknown Source) ~[?:1.8.0_101]
at java.lang.Class.getMethods(Unknown Source) ~[?:1.8.0_101]
at org.spongepowered.common.event.SpongeEventManager.registerListener(SpongeEventManager.java:181) ~[SpongeEventManager.class:1.10.2-2026-5.0.0-BETA-1599]
at org.spongepowered.common.event.SpongeEventManager.registerListeners(SpongeEventManager.java:225) ~[SpongeEventManager.class:1.10.2-2026-5.0.0-BETA-1599]
at com.github.games647.flexiblelogin.FlexibleLogin.onInit(FlexibleLogin.java:176) ~[FlexibleLogin.class:?]
at org.spongepowered.common.event.listener.GameInitializationEventListener_FlexibleLogin_onInit3.handle(Unknown Source) ~[?:?]
at org.spongepowered.common.event.RegisteredListener.handle(RegisteredListener.java:95) ~[RegisteredListener.class:1.10.2-2026-5.0.0-BETA-1599]
at org.spongepowered.mod.event.SpongeModEventManager.post(SpongeModEventManager.java:354) [SpongeModEventManager.class:1.10.2-2026-5.0.0-BETA-1599]
at org.spongepowered.mod.event.SpongeModEventManager.post(SpongeModEventManager.java:395) [SpongeModEventManager.class:1.10.2-2026-5.0.0-BETA-1599]
at org.spongepowered.mod.SpongeMod.onStateEvent(SpongeMod.java:205) [SpongeMod.class:1.10.2-2026-5.0.0-BETA-1599]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_101]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_101]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_101]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:1.8.0_101]
at com.google.common.eventbus.EventSubscriber.handleEvent(EventSubscriber.java:74) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.SynchronizedEventSubscriber.handleEvent(SynchronizedEventSubscriber.java:47) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.EventBus.dispatch(EventBus.java:322) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.EventBus.dispatchQueuedEvents(EventBus.java:304) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.EventBus.post(EventBus.java:275) [minecraft_server.1.10.2.jar:?]
at net.minecraftforge.fml.common.LoadController.sendEventToModContainer(LoadController.java:239) [LoadController.class:?]
at net.minecraftforge.fml.common.LoadController.propogateStateMessage(LoadController.java:217) [LoadController.class:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_101]
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_101]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:1.8.0_101]
at java.lang.reflect.Method.invoke(Unknown Source) ~[?:1.8.0_101]
at com.google.common.eventbus.EventSubscriber.handleEvent(EventSubscriber.java:74) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.SynchronizedEventSubscriber.handleEvent(SynchronizedEventSubscriber.java:47) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.EventBus.dispatch(EventBus.java:322) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.EventBus.dispatchQueuedEvents(EventBus.java:304) [minecraft_server.1.10.2.jar:?]
at com.google.common.eventbus.EventBus.post(EventBus.java:275) [minecraft_server.1.10.2.jar:?]
at net.minecraftforge.fml.common.LoadController.redirect$onPost$0(LoadController.java:53) [LoadController.class:?]
at net.minecraftforge.fml.common.LoadController.distributeStateMessage(LoadController.java:142) [LoadController.class:?]
at net.minecraftforge.fml.common.Loader.initializeMods(Loader.java:788) [Loader.class:?]
at net.minecraftforge.fml.server.FMLServerHandler.finishServerLoading(FMLServerHandler.java:107) [FMLServerHandler.class:?]
at net.minecraftforge.fml.common.FMLCommonHandler.onServerStarted(FMLCommonHandler.java:333) [FMLCommonHandler.class:?]
at net.minecraft.server.dedicated.DedicatedServer.func_71197_b(DedicatedServer.java:214) [ld.class:?]
at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:431) [MinecraftServer.class:?]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_101]
Caused by: java.lang.ClassNotFoundException: org.spongepowered.api.event.entity.DisplaceEntityEvent$TargetPlayer
at net.minecraft.launchwrapper.LaunchClassLoader.findClass(LaunchClassLoader.java:191) ~[launchwrapper-1.12.jar:?]
at java.lang.ClassLoader.loadClass(Unknown Source) ~[?:1.8.0_101]
at java.lang.ClassLoader.loadClass(Unknown Source) ~[?:1.8.0_101]
... 40 more
Caused by: java.lang.NullPointerException

chinese translate

i just translate your job to chinese,can you add it into future releases?

A few feature requests

Ability for an admin to change a users password
Setting recovering information to prove account identity
Maximum registrations per ip-address
Locking a account for X amount of time after X amount of attempts
Ability to /logout to prevent ip-sessions from auto-logging in
Minimum password length
Ability for an admin to change a users password
Maximum registrations per ip-address
Locking a account for X amount of time after X amount of attempts
Ability to /logout to prevent ip-sessions from auto-logging in
Minimum password length

(Game game, Logger logger) method in constructors of classes is no longer needed

In my latest pull request #6 I added a safe getInstance() method in the main plugin class, which allows you to easily get an instance of Game and Logger. Because of this, the Game and Logger parameters in the constructor of most classes are no longer required.

(You also removed the getInstance() method I created, I want it back)

About help documentation system

I think we need a more complete help documentation system, or, we need a frequently updated document system. I think we should make good use of Github's Wiki system.

jar file

Could you put the jar file with the last hotfix?

Improve the administrator command

Make a command like "/flexiblelogin" to be a Admin Command.

Create account in server's console. (Like: /flexiblelogin register ............) (Some time administrators must prevent malicious registration, which needs to be registered in advance.)
Delete account in server's console. (Like: /flexiblelogin ..........................)
EMail, user's any other things, and any thing we can control.
Any good thing...

I think this is great, because it is more convenient for the administrator.

Register command problem

/flexiblelogin resetpw|reload|unregister|register

Register : When use /flexiblelogin register Account Password, it show "Force register success", but account still not find in database...

The administrator and moderators to always enter a password!

ipAutoLogin=true
Is it possible to make a list of users who always need to enter a password to log on to the server? Like a black list.

Imporove EMAIL_REGEX

Hello @games647 !
Can you please update EMAIL_REGEX here to allow emails like [email protected] (2nd and 3rd level domains) ?

Also is there any reason for not allowing lowercase characters?

Could you add a command for administrators to check users' e-mail address?

Could you add a command for administrators to check users' e-mail address? If the server doesn't set mysql, it is impossible for administrators to check users' passport, e-mail address, etc. It is not convienient very much.

Suggest: Put the language file out.

Hi ! Sir ! I had a suggest for you !
Don't put the language file in the conf, but on the outside.
This is not conducive to multi language.

Any way, this plugin is amazing !!!

FlexibleLogin tries to set safe-location using the Sponge API

Hello, here #15 said
FastLogin tries to set safe-location using the Sponge API.
but they still don't solve this.
My question is, when not using FlexibleLogin, no problem happened, login will stand on last logout location, but using FlexibleLogin will change login location then may enters the door into the room.
Why not cancel searching safe-location function? I think iron-door is a safe-location, even that location where player logout is also a save location. Is it not?

y Movement isn't blocked

I found when I logined the game, the system had restricted me to move to left, right, forward or back successfully. However, when I tried to move up or move down, the system did not stop me. Yep, for most players, they cannot fly, but ops can do it. I hope you can improve this plugin(or mod?).
Thank you very much.

Cannot register with SQLite database

Packages in use:
forge-1.8-11.14.4.1563-universal.jar
spongeforge-1.8-1577-3.0.0-BETA-1000.jar
FlexibleLogin.jar (0.3.2)

When attempting to register:

[19:19:26] [pool-2-thread-1/ERROR] [flexiblelogin]: Error registering account
java.sql.SQLException: [SQLITE_CONSTRAINT]  Abort due to constraint violation (NOT NULL constraint failed: users.UserID)
        at org.sqlite.core.DB.newSQLException(DB.java:890) ~[DB.class:1.8-1577-3.0.0-BETA-1000]
        at org.sqlite.core.DB.newSQLException(DB.java:901) ~[DB.class:1.8-1577-3.0.0-BETA-1000]
        at org.sqlite.core.DB.execute(DB.java:810) ~[DB.class:1.8-1577-3.0.0-BETA-1000]
        at org.sqlite.jdbc3.JDBC3PreparedStatement.execute(JDBC3PreparedStatement.java:50) ~[JDBC3PreparedStatement.class:1.8-1577-3.0.0-BETA-1000]
        at com.zaxxer.hikari.pool.ProxyPreparedStatement.execute(ProxyPreparedStatement.java:44) ~[ProxyPreparedStatement.class:1.8-1577-3.0.0-BETA-1000]
        at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.execute(HikariProxyPreparedStatement.java) ~[HikariProxyPreparedStatement.class:1.8-1577-3.0.0-BETA-1000]
        at com.github.games647.flexiblelogin.Database.createAccount(Database.java:272) ~[Database.class:?]
        at com.github.games647.flexiblelogin.tasks.RegisterTask.run(RegisterTask.java:33) ~[RegisterTask.class:?]
        at org.spongepowered.api.scheduler.Task$Builder.lambda$execute$9(Task.java:138) ~[Task$Builder.class:1.8-1577-3.0.0-BETA-1000]
        at org.spongepowered.common.scheduler.SchedulerBase.lambda$startTask$55(SchedulerBase.java:177) ~[SchedulerBase.class:1.8-1577-3.0.0-BETA-1000]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_66]
        at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_66]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_66]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_66]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_66]

Error: people can drop items before they login into the account.

People can drop items before they login into the account.
spongeforge-1.10.2-2073-5.0.0-BETA-1684

Can not support PermissionsEx?...

For example, when use this command:

/pex group defualt permission flexiblelogin.command.logout false

Users always can logout..........

Update to API 6?

I don't know what's the relationship between API 5 and 6......

Item dupe

Hello!
Not sure if is known bug, but one can dupe almost everything.
you can check this video: https://www.dropbox.com/s/jjzop7dx8wczhsr/2.avi?dl=0

You should be logged in to the system;
Put single item to quickbar cell;
Drop this item (Q or ctrl+Q);
Log out;
Open inventory and click on cell where your item was before drop.

expected: nothing happens, cell should be empty
actual: item duplicate to your inventory

/log and /reg not working

Not working for me anymore.

Add a strong language system

I have mentioned this issue, but I think this is very important, so put forward again, please forgive me.
Attract more users, rather than let them update their own language.

Create a folder named "Messages" or "messages" (Oh ... case size is not a problem...... :P)...
Create some lang files in "M(m)essages" folder like:

message_en
message_zhcn
message_ru
message_(country code)

We don't need a file suffix (like *.lang), because the meaning of "message" is very clear ( But, this is not a problem, too... What do you want to do, just like that).
3. In config file, users can change what language file they need to use(For example: Language "message_en").
4. Then accept the pulls from other users, it is perfect.
5. Done!!!

Add Copyright on all source code files

(See title)

The suggestion for login teleporation

In offline mode, a player can use any name to join game. Although FlexibleLogin can stop people who are not the owner of the account to do bad thing, people still can use F3 to check the position of the account used. For some people, they may utilize this fuction to set a trap to kill others.
Could you add a function to protect innocent players from these spiteful actions?
I think if there is a function which teleporates all of the unlogin players to world spawn point forcely, and teleporate players back after they login into the game successfully, it will protect players better.

Unregister command vs. server's cache

When you unregister some player (/unregister nickname), He is removed from database, but still remains in some running server cache and unregistered player can login, logout and login after disconnection from server again and again until server's restart.

Lang file for sponge plugin

Hi! Add the lang file/class please. I wanna translate your plugin ^_^

[Suggestion] Prevent players sending messages when not logged in.

You can impersonate other people.

Nag Messages & Max Walk Distance

If you login on the server you will only get 1 message telling you to /login or /register. I think it should be replaced with if the user hasn't registered it will tell them they have to /register because saying /login might confuse them.

An unregistered user can also walk around and when they try to interact they don't get any messages reminded them to /register or they won't be able to do anything, because most think it's an issue with the server. And to go with that, add a maximum distance they can walk before being teleported back to their log out location usually something like 2-10 blocks.