Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page:

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel ( #LoveDespite) or toss me a message at Until we meet again, stay gold. Bang.


    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
  2. Offline


    Fixed in the next update. Actually, I could only replicate this the very first time I tried. Every time after that my inventory was restored successfully. Not sure exactly what's going on but I'll look into it.
  3. Offline


    I would like to help you fixing bugs. Could you put your plugin under GPL/put the source on GitHub?
  4. Offline


    According to a moderator on my server, you can use some WorldEdit commands without logging in, such as //removenear, //replacenear etc etc.
  5. Offline


    Yep, that's a known bug and will be fixed when I have a chance to investigate it.
  6. Offline


    Damn you're quick. Was just gonna edit that. Thanks.
  7. Offline


    The source is now available. It has a a lot of test code in it along with a partially working customizable message system I've been working on.
  8. Offline


    The issue with custom commands of other plugins is not limited to WorldEdit.
    McMMO commands also work before logging in.
  9. Offline


    I'd like to request the ability to configure what people are not allowed to do before they login/register. I want people to at least be able to chat and move. Could you add that? :D

    Also, how does the IP verification work? The IPs are not in the auth.txt file. Does the session manager just store them temporarily?
  10. Offline


    Working on this now. The problem is that some plugins don't check if the event has been cancelled before processing the command. Trying to implement some kind of fix for the next update. Seems that the fix is working, for WorldEdit and McMMO atleast.

    I actually had some basic framework in the code up until a few days ago that allowed for configurable limits on what players can do before the log in. Since it's been requested I'll see what I can do about adding it back.

    Yeah, IP addresses are stored in a players session. When a player joins the server xAuth checks if they have an active session and if the IP address stored in the session matches the one of the player joining.
  11. Offline


    Actually no, disregard that (well it's still a good suggestion lol). But I would most appreciate the ability to make it so only certain Permissions groups have to log in. I really only need my admins and moderators protected, as they are the only people that could potentially harm the server.
  12. Offline


    I have a request. Something that all other registration plugins lack. Can you make some... Ban character filter for it?

    Some people are trying to be smart and changing nicks like that:

    Can you do this?
  13. Offline


    Updated to version 1.1.4:
    • Version 1.1.4
      • Customizable messages
      • Inventory loss when used with MultiInv should be fixed
      • Ability to use commands from (some) other plugins should be fixed
      • Implemented a strike system
      • Fixed a bug that prevented the accounts file from updated
      • Lag/delay when joining a server with a large amount registered accounts reduced
    All customizable messages can be found in strings.yml that will be automatically generated on first run of this update. For info about replacement variables, go here.

    Previously, a player could try as many passwords as they'd like to try and gain access to an account. This has been thwarted with the new addition of a strike system that will ban the IP address of a player who fails at entering the correct password a configurable amount of times.

    Compatibility with the plugin MultiInv and the ability to use commands from other plugins before logging in should be fixed.

    So basically, a property in the configuration file where you can specify illegal characters that a players name will be checked for upon joining the server?
  14. Offline


    Not all other plugins lack this ;)
  15. Offline


    Can I get a link to 1.1.3? I think the latest version is blocking my MCDocs and mcMMO commands
  16. Offline


    <Edit by Moderator: Redacted mediafire url>

    Can I ask what for?
    Last edited by a moderator: Dec 14, 2016
  17. Offline


    Yeah, 1.1.4 broke my mcdocs and mcmmo commands
  18. Offline


    Updated to version
    • Version
      • Fix command breaking bug pointed out in this post.
  19. Offline


    So is this fix spesifically for WorldEdit and McMMO, or did you find a way to block all commands from other plugins whether they check for event cancellation or not?
    (Either is fine for me, but later would be of course better)

    E: Would also appreciate the functionality Sparx suggested, only spesific groups have to log in. Or maybe registration would be optional and you only needed to login if you have registered.
  20. Offline


    Theoretically it's supposed to block all commands besides those listed in the configuration file. What is does is hook into the PLAYER_COMMAND_PREPROCESS event, check if the player is logged in, if not it cancels the event and sets the command itself to just "/" so it does nothing. It's a pretty hacky way of doing it as I see no other way until all plugins check if the event is cancelled.

    For those who understand Java:

    String[] msg = event.getMessage().split(" ");
    if (!plugin.isCmdAllowed(msg[0]))
        plugin.handleEvent(player, event);
    if (event.isCancelled())
    public void handleEvent(Player player, Cancellable event)
        if (!sessionExists(player.getName()))
             if (canNotify(player))
  21. Offline


    Thanks for the quick fix! :)
  22. Offline


    It would be much better to specify only legal characters... Cause one time from console I seen something similar to Chinese letters...
    LegalCharaters = 'a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,-,+,@,!,#,$,%,^,&,*,(,),[,{,],},:,;,.,/'
  23. Offline


    This is implemented and will be in the next update.
  24. Offline


    I am using xAuth, and I was sure that it would block commands from non logged-in users (I tried it out some time ago).

    But yesterday, someone logged is as one of our moderators and banned everyone, without authorizing. I undid the bans and tried it out myself, and it actually didn't block any single command. What am I doing wrong?

    Edit: Not happening anymore after server restart. No idea why this happened.
  25. Sounds more like a hack
  26. Offline


    I looked at the server log, the only thing he did was trying to log in as other users. The plugin was working fine, the only thing that didn't was blocking commands.
  27. Offline


    Is it still working fine after you rebooted your server? If not, what commands can be used?
  28. Offline


    I was thinking SHA-2 (256 ought to be good enough), but Whrilpool seems promising as well. I'd just like to see something that isn't easily attacked. If a server managed to get really popular, and used a plugin similar to this, it could become an object of focus for some cybercrimes, and MD5 is no longer adequate to protect against that. Even with salting and hashing repeatedly.

    Also, it might not be a bad idea to implement a minimum password complexity requirement that's adjustable in the config file (And could optionally be turned off). Though I see that as more of a nice feature to have than something that's necessary.

    I'm liking the progress so far though.
  29. Offline


    I'll probably be making the switch from MD5 to Whirlpool within the next two updates. Whirlpool has been ready to use but I've been busy adding other features so I haven't had time to implement it. The password complexity requirement is good idea and I'll see about adding that.

    An update to support the latest recommended build will also be available soon. I'll more than likely be releasing two versions of the update: one with all the new features that works for older builds and one with all the new features that works with the newer builds.
  30. Offline


    Keep up the good work! Waiting on your next update to put up updates in my server :D
  31. Offline


    Can u update the plugin? i real like this plug, nice work but dont work whit 600
Thread Status:
Not open for further replies.

Share This Page