[Request] Whitelist style list of players that require MC.net auth about mixedmodeauth HOT 18 CLOSED

There's just one problem here:

Upon connect the server says to the client "I'm an online-mode server" or "I'm an offline-mode server".
Then, afterwards, the client replies with the username of the client.

This order cannot be changed, as the client expects this order and will not work otherwise.

This means you have to decide if the player will be authorized in online or offline mode before receiving the player name. Thus, no changes can be made to the login process based on name. Based on IP address would be possible, but is not very reliable. Based on server port is another possibility (have a separate port to connect to in "premium mode"), but that is it.

How my plugin currently works is like this:

• Server sends "I am in online mode" and asks the client for a name + verification code.
• Server checks the verification code (MC.net login check), and if it is correct, allows the user normal access.
• If the check fails, it renames the user to player_[random number here] so they cannot pretend to be a premium user like you suggest in your request, then asks them for a name and password to login as, which results in a second rename if successful.

Hopefully you understand the limitations and possibilities. If you have any further questions, feel free to ask.

from mixedmodeauth.

Can a plugin check mc.net and authorize premium players or does it not have enough access/information to do this?

from mixedmodeauth.

It can, but the client will only attempt a mc.net login right at the start
of the connection, and only in online mode. So, doing this is possible but
useless :-)

from mixedmodeauth.

Would this be possible?

• Server sends "I am in online mode" and asks the client for a name + verification code.
• Server checks the verification code (MC.net login check), and if it is correct, allows the user normal access.
• If it fails, it checks the premium.txt file. If the name is in the file, the user is kicked like users normally are if auth fails. If the name is not present, the user is allowed on as the name supplied earlier.

I hope this helps you understand what I am trying to do. It seems to me like this might work. Please tell me if I am missing something.

from mixedmodeauth.

Yes, that can work.
It doesn't add any extra security though (failed logins are already ALWAYS put in "guest mode" like all offline players normally are), and it will disable the support for playing on your account if the MC.net servers are down.

from mixedmodeauth.

The extra security comes from a player's name being in the premium.txt file, because if a non-premium player tried to log in as a premium player, the mc.net validation would fail, the plugin would see the name in premium.txt and the user would be kicked.

ie, users that are in premium.txt require login success with mc.net, while all other user names can fail with validation and still be able to play.

If you still don't get what I am trying to do, you said:

failed logins are already ALWAYS put in "guest mode"

I don't want failed logins to always go into guest mode. Failed mc.net validation should result in kick but ONLY IF the name is in premium.txt

from mixedmodeauth.

Yeah, sure, that feature can be added. I'll see what I can do.

from mixedmodeauth.

Thanks soo much!

from mixedmodeauth.

I took a look at the checkserver.php and made it almost do exactly what I want. I made it check mc.net and return YES if mc.net returned YES, and if MC.net returned NOT YET, I had the script check the premium.txt file for the username. If it was found, the script returned NOT YET as well. If the username wasn't present, it returned YES, contrary to what mc.net returned.

I had the script part working fine, but I ran into a problem with the client. Even if the auth server (or my script) returns YES all the time, the client still has to send the hash and session Id to the mc servers. This is where I failed. The client tries to send the server's hash + session id to the minecraft server and the server does not return OK because since the user is not premium, the session ID is incorrect. Since this is a client sided issue, I don't see any solution with just php.

I did some more reading. If code can be inserted between the client->server handshake and the return server->client handshake (0x02) then online mode and offline mode can be switched on the fly depending on the username of the player.
http://mc.kev009.com/Protocol#Handshake_.280x02.29

But now I'm wondering, if my cracked launcher fails on it's own accord with online mode servers, how do your non-premium players play on online mode servers with your plugin setup?

Here is the sequence of actions described on the Session page of this wiki: (http://mc.kev009.com/Session)

Client connects to server
Server answers tcp connection request
Client sends a 0x02 handshake containing the current player name
Server receives a 0x02 handshake containing the client's player name
Server generates a hash for this client (Or "-" (minus) is sent to indicate offline mode)
_Client receives a 0x02 handshake from the server containing a randomly generated hash, which is saves as serverId _
Client sends a HTTP request to
http://session.minecraft.net/game/joinserver.jsp?user=&sessionId=&serverId=
If the response is OK then continue, otherwise stop
Client sends 0x01 login request
Server receives a 0x01 login request from the client
Server sends a HTTP request to
http://session.minecraft.net/game/checkserver.jsp?user=&serverId=
If it returns YES then the client is authenticated and allowed to join. Otherwise the client will/should be kicked with “Failed to verify username!”
Server sends a 0x01 login request to the client
Client receives a 0x01 login request
... send map chunks, etc...

from mixedmodeauth.

I finally understand how yours works. I am almost done with a replacement login/auth server in php that will allow my premium users to play normally, non premium users can play normally with 2 extra lines in the host file, and nobody can steal anyone's account.

I plan to have a couple options when I am done with it, mainly an option to require unpremium users to log in via the custon login script or only require valid login from premium usernames.

from mixedmodeauth.

So basically an upgrade of legacy mode?

from mixedmodeauth.

Not really sure what you mean by that, but mine will require one of the following for non-premium users:

1. Cracked launcher with your client mod
2. Legit launcher with your client mod
3. Legit launcher with host file additions

Premium users must use the legit launcher (allowing premium on cracked would defeat the purpose)

And 2 modes:

1. Require everyone to log in using the launcher (not allowing cracked launcher + your client mod)
2. Allow Premium users normally and non-premium users after validating their username/password and checking that their username is non-premium

Effectively adding security for everyone, stopping account stealing, and not requiring any more effort for premium players and minimum effort for non-premium players.

from mixedmodeauth.

Eh.... Isn't that exactly what my plugin does already? I must be missing something here.

from mixedmodeauth.

Your plugin has all this setting password stuff that I don't want to bother my users with. I don't want them to have to type in extra commands after joining to play. I just want the server to handle all the authentication and for it to all be transparent so that the users don't notice.

from mixedmodeauth.

Oh, but that's only a one-time-per-player thing to create an account for when the MC login servers are offline. I can make an option to disable that feature, if that was all you wanted. Easy enough.

from mixedmodeauth.

I also don't need players to be renamed at all. After looking at how the communications work, I think it would be better fitted to my needs to use a host file/php solution, as I will not have to worry about compatibility (or any issues I might run into using a plugin) and I can also have my non premium users verified via the login box of the actual launcher.

from mixedmodeauth.

Ah, of course. Yeah, that makes sense.

from mixedmodeauth.

So i guess this is closed.

from mixedmodeauth.