Filled Staff Logins

Discussion in 'Plugin Requests' started by Skrubzy, Oct 27, 2016.

Thread Status:
Not open for further replies.
  1. Offline

    Skrubzy

    Plugin category: Administrative/Security

    Minecraft version: Spigot 1.9

    Suggested name: Skylask Staff Secure (Or just Staff Secure)

    What I want: I need a plugin much like LoginSecurity but players won't need to type in their password every time they login. Only players that have the correct permissions will be required to (So basically staff) And only if they login using a different IP address than usual. The permission is skylaskstaff.login

    This should help to protect from abuse of compromised accounts.

    There should also be a feature so that if the password is entered incorrectly more than 30 times, the player will be temporally banned for 30 minutes. This needs to work even if the player logs out, but reset back to 0 once the player logs-in using the correct password.

    All chat messages should be configurable in an English.yml file
    The user will not be able to move, fight, mine, build, talk in chat, etc until they enter their password.
    The player must enter the command twice when changing the password and registering for the first time.

    3 Files Should Be Created:
    English.yml - Contains all of the chat messages and formats
    Users.yml - Contains the usernames, passwords, and IP addresses for specific accounts.
    Config.yml - Contains the ban length and amount of passwords enter-able until they receive a timeout.

    Ideas for commands:
    /login <password> - Allows the user to login to the server
    /register <password> - Allows the user to register a password to the server
    /changepass <current password> <new password> - Allows the user to change their password
    /login help - Lists all of these commands and what they do/how to use them

    Ideas for permissions:
    skylaskstaff.* - Gives the user access to all of the following permissions
    skylaskstaff.login - Allows the user to use the command "/login"
    skylaskstaff.register - Allows the user to use the command "/register"
    skylaskstaff.change - Allows the user to use the command "/changepass"
    skylaskstaff.help - Allows the user to use the command "/login help"

    Aliases:
    /login | /pass
    /changepass | /cpass

    When I'd like it by: ASAP
    If you are confused or I left anything out, just ask me about it.
    I'm fairly low on sleep at the minute so I'm almost positive that I forgot about a few features.

    To Anyone Interested In Making This Plugin: Please read my last reply to this thread, it includes an important feature that is needed for this plugin.
     
    Last edited: Oct 29, 2016
  2. Offline

    ACA30

    I'd like to see this made :)
     
  3. Offline

    termanator1128

  4. Offline

    Skrubzy

  5. Do you want the passwords to be stored in a flat-file or a MySQL database? Since you said you want them to be stored inside a .yml file, that's not really secure and I wouden't want someone to see my password inside a .yml file because their may have the same password for another things and it can be abused. The password could be encrypted inside the .yml file but that's a lot of work and if someone would be targeting your server and really wanted to compromise your server, they could just look into the .jar and figure out how the password are encrypted and un-encrypt it in minutes. If it would be stored inside a MySQL databse, they would also need to get the username & password to hack into MySQl after hacking into the FTP account which gives you another wall of protection.
     
  6. Offline

    Skrubzy

    I'll be honest...I don't understand most of what you just said. Yes, I want the passwords to be encrypted but I also want to have a way to view the file and passwords (In case anyone forgets their login) And it's just for my staff menbers, so I hope they'll be smarter than to use their password for more than one login.

    EDIT: Maybe have a main password or something? Like a password you have to enter to open the file..Only the owner (me) would know the main password - but then a hacker could just look at the code for the plugin...so maybe have that part encrypted?

    EDIT 2: When I say I don't understand, I mean that I have never used MySQL before and I'm not entirely sure what it does or what it's for.
     
    Last edited: Oct 28, 2016
  7. Offline

    timtower Administrator Administrator Moderator

    @adi0115 @Skrubzy How about hashing? Not encrypting. Make it use a big algorithm.
    @Skrubzy Resetting the password is better then being able to see it. And a command to change their own password when logged in.
     
  8. Offline

    Skrubzy

    But if they lose their password they won't be able to login, so I need a way to view all of the passwords.
    The /changepassword will change the password, but you'll need the current password first (/changepassword <current> <new>)
     
  9. Offline

    timtower Administrator Administrator Moderator

    @Skrubzy No, you need to be able to force a new password by writing it in the file, a temporary password.
    No need to see it.
     
  10. Offline

    I Al Istannen

    @Skrubzy
    I would use some kind of random number, maybe converted to base64 to cut its size down. Entering this will allow you to login and forces a password change, as well as invalidating the token.

    This way you can reset it, without needing to see it.
     
  11. @Skrubzy If they lose it they can reset, you should never store passwords that can be viewed by humans. You could always add some sort of validation eg email. Hashing would be much better security wise than encrypting. Hash with a salt.0

    @I Al Istannen How would they get the token securely? Email? It can't just be sent in the chat as if someone got the account they could just enter that token.
     
  12. Offline

    Skrubzy

    If their account is compromised, the hacker most likely has access to their email too
     
  13. @bwfcwalshy @timtower @Skrubzy If someone forgots their password, they can do /forgotenpassword and a pin will be showed inside the console and the owner or whoever has access to the console could give the pin to the staff member so they could do /pin xxxxxx and they will have access to the server and they can change their password. I know this is not ideal as whoever forgotten the password needs to wait for someone who has access to the console but in my opinion it's more simple than playing around with emails.
     
  14. Offline

    Skrubzy

    That might work, but if the hacker has access to the server files he could see the console. But if the user's passwords are saved and the hacker still has access to the server files, there'd be almost no difference. However, that does lower the chances of the hacker being able to log into other accounts (Twitter, the website, etc)
     
  15. Offline

    timtower Administrator Administrator Moderator

    @Skrubzy Then you let them use Oauth, you can always think of things to stop it from working, there needs to be a limit though.
    https://oauth.net/
     
  16. Theres not many people who play minecraft that will be able to hack FTP, console, and someones minecraft account at the same time unless those passwords are easy to guess.
     
  17. Offline

    Skrubzy

    You'd be surprised, hackers could social engineer and brute force. There's a whole list of possible hacks to get someone's password.

    This could work (I'm not entirely sure how they would get the pin though) Does this cost money? I don't see any price on it but it sounds like it would cost some coin.
     
  18. Offline

    timtower Administrator Administrator Moderator

    And do you think that they would spend their time on hacking minecraft clients?
    If they would hack then they would go straight for the console, not a client with less power.
    It is free.
     
  19. Once I forgot my password to my host and I first I gotten a email with a PIN which I had to enter into a the host, then I received a text with a PIN which I had to enter, then I had to answer 3 questions which were, what was my childhood nickname, my first bike's registration number and my first ever phone number, I had 2 tries which I messed up and then I had to call my host, they had to verify me by taking my bank details, my secondary email. Then they had to call my second friends who they had to confirm that it was really me.

    That is security that I have to go thru incase I forgot my password to my host, and nobody can hack my friends to tell them that it's someone else :).
     
  20. Offline

    Skrubzy

    But they can't grief or anything like that unless they have an account logged into the server.

    I don't think any Minecraft server needs that much security lol
    Maybe just have a PIN and 3 questions, no need to call up friends to verify and give out bank details lol
    Would the code have to include the link to the website or something? How would that work, how would I hook it up?
     
  21. @Skrubzy I'm with a host that value security. I don't see why would someone hack a minecraft server in first place, you don't gain anything from it, you could propably grief the server but if you're a smart person then you would do backs ups regulary. I never heard anyone's server, FTP and minecraft accounts get hacked just to compromise a server which they wouden't be able to do much. I can understand why would some hack a VPS or a website but there's not really gain when it comes to minecraft servers, it's not like that any passwords are stored inside the server except if the server is cracked.
     
  22. Offline

    Skrubzy

    People would hack into servers to steal plugins, maybe even leak them. They can delete server files and sometimes even backups (If we forgot to save the backup somewhere else or something) They could lock us out of our accounts, change the passwords to everything, brag about it, and they don't even need to have a reason to hack; some people are just like that :/
     
  23. Offline

    I Al Istannen

    @Skrubzy
    These people are ususally not the ones actually being able to carry out such a hack, if you have a remotely secure password.
    Just use keepass or something similar, generate a password which it deems save and you should be good.

    I am however quite sure that the few people with the skills of hacking into your server hoster are not the ones wanting to do it.

    The rest are most certainly kept out with a password I described above. The only other fear is social engineering, so make sure to not give it out. There rarely (probably never) is a reason to give it away anyways. May be a bit naive?
     
    ipodtouch0218 likes this.
  24. My host automatically backsups my server every 3 hours to a diffrent FTP, which is what most hosts do these days, when it comes to locking you out, it's only possible if the person knows your password, and if their know your password, then their either guessed it or someone told them, which is why you should never share passwords over internet because I had a friend who shared his minecraft password over Skype with his brother and his Skype got hacked and so his minecraft account since the password was there to use.

    I seen Mineplex's plugins leaked hundreds of times, even the latests ones like the Clans ect (as far I'm aware, their plugins were not leaked because of due to hacking, it's because Mineplex always seems to hire devs that are not trustworthy) but theirs plugins are somehow made that if they're leaked, they cannot be useable outside Mineplex, I never downloaded Mineplexs leaked plugins so I have no idea how they did that. Like @I Al Istannen said, there's not many people in this community with that skill, I'm sure there are few people who know a bit about hacking and brutal force but there's only few that will be able to hack a host, FTP, MySQL ect. If this was the case, hundreds of server would be hacked on daily basis, and the biggest servers would be the first targets like Hypixel, but you never see them beign hacked.
     
  25. Offline

    Skrubzy

    My host saves the world, but it gets saved to the server files; not a different FTP
    I saw a plugin where a backup can be saved to dropbox, so I think I might go ahead and use that.


    For anyone inserted in making this plugin:
    I like the idea of having a PIN number (Like 5 number-digits long) Being sent to console when the user types /getpin. The owner (Or whoever has access to console) Will tell the staff member who lost their password to type /pin <PIN Number> And that will log them in so they can change their password - At which point they just have to type the pin number as their current password (/changepass <current/PIN> <new>) But If they log out, that pin number will no longer work; it's just temporary for that one session.

    New Permissions/Commands:

    /getpin | skylaskstaff.getpin
    /pin <PIN Number> | skylaskstaff.usepin

    Again, all chat messages (And the message sent to console when the user requests a PIN) Should be editable in an English.yml file found in the server files.

    I'm not too worried about my server files getting hacked anymore - I have a very reliable password that would take longer than 8 billion years to crack (According to a password testing website I found) Also, with this feature, my staff members don't encounter the risk of even more accounts being hacked and compromised.

    EDIT: The user should have blindness before logging in, but as soon as they type /login *** (*** Being their password) The blindness goes away and they can move, fight, mine, etc...

    EDIT 2: It would also be cool if, before the user logs in, other players will see an Ice Block on their head - Meaning that they are frozen; they can't move or interact or anything.

    EDIT 3: I know I probably missed a few messages, but this should be the default English.yml file- Some things should go into the config file (Things that aren't messages) But I have to go soon so I don't have time to convert it into another file.
    Code:
    // Skylask Staff
    // English.yml Default File
    
    // If the user attempts to build, mine, fight, etc... before logging in, this message will be displayed to them:
    PreLogin Build: &f&l[&c&lStaff&f&l] &cYou may not build until you /login!
    PreLogin Mine: &f&l[&c&lStaff&f&l] &cYou may not mine until you /login!
    PreLogin Move: &f&l[&c&lStaff&f&l] &cYou may not move until you /login!
    PreLogin Fight: &f&l[&c&lStaff&f&l] &cYou may not fight until you /login!
    PreLogin Get Hit: &f&l[&b&lSkylask&f&l] &cYou may not interact with that player at this time!
    PreLogin Chat: &f&l[&c&lStaff&f&l] &cYou may not type in chat until you /login!
    PreLogin Command: &f&l[&c&lStaff&f&l] &cYou may not use that command until you /login!
    
    // The commands the user is able to use before logging in
    Allowed Commands:
    - /login
    - /register
    - /changepass
    - /login help
    - /getpin
    - /pin
    - /v
    - /helpop
    
    // False = The User Can Not Do That Action Before Logging In
    Can Build: false
    Can Mine: false
    Can Move: false
    Can Fight: false
    Can Get Hit: false
    Can Chat: false
    Can Use Commands: false
    
    // When the player doesn't have the required permissions (Meaning that they are not a staff member) This message will be displayed to them:
    Not Staff: &fUnknown command. Type "help" for help.
    
    // Join Messages:
    Register New: &f&l[&c&lStaff&f&l] &aUse /register to start your staff account with Skylask!
    Login Prompt: &f&l[&c&lStaff&f&l] &aPlease /login using your Skylask password or PIN Number!
    
    // Incorrect:
    Login Wrong: &f&l[&c&lStaff&f&l] &cIncorect password! Try again using /login.
    PIN Wrong: &f&l[&c&lStaff&f&l] &cThis PIN Number is not valid! Request a new one using /getpin.
    Changepass: &f&l[&c&lStaff&f&l] &cThe current passwords don't match correctly! Try Again.
    
    // PIN Messages:
    PIN Right: &f&l[&c&lStaff&f&l] &aYour temporary PIN Number has been activated! Change your password at this time.
    Get PIN: &f&l[&c&lStaff&f&l] Your temporary PIN Number has been sent to the server console!
    PIN Override: &f&l[&c&lStaff&f&l] Your current PIN Number has been canceled and a new one has been sent to the server console.
    
    // Usuages:
    All: &f&l[&c&lStaff&f&l] &cIncorrect Usuage! Check /login help
    
    // Login Help:
    - &7&l---[ &c&lStaff Login &7&l]---
    - &c/Login Help &7- &aDisplays This Help Menu
    - &c/Login <password> &7- &aLogin To The Server
    - &c/Register <password> &7- &aRegister To The Server
    - &c/Changepass <current> <new> &7- &aChange Your Login Password
    - &c/Getpin &7- &aSends a temperary PIN Number to the console
    - &c/PIN <pin-number> &7- &aUses the PIN Number to login instead of your password
     
    Last edited: Oct 29, 2016
  26. Offline

    I Al Istannen

    @Skrubzy
    I will most likely do this. I have some parts of it finished already, but I can't give you a time estimate.

    I would just like anybody who is also interested to wait a few days for a further update on my part, before wasting the time of both of us ;)

    They will NOT need to enter their password twice, but the old password will be displayed upon changing.

    Apart from that, they will see their password as they type it in PLAIN TEXT in their chat.
    Then they can use the "Arrow Up" button to see the last message they send and therefore retrieve the password.
    I think it will be hard to screw that one up.

    If you absolutely insist, I can add that feature, probably without too much of a hassle.

    EDIT: I am pretty much done with it.

    EDIT 2: I published a pre release. You can get it on the github page and test it :)
     
    Last edited: Nov 1, 2016
  27. Offline

    Skrubzy

    I'm sorry to say, but most of the features don't work. (the Pin feature, logging in with other IPs, etc)
    Also, if you are going to redo this/fix it, could you make it so you don't need to type "staffsecure" before every command please? I haven't tested everything, but the config.yml and language file is really cluttered so I imagine it'll take me a while to reply again (I'm not trying to be rude, in case that's the impression you got)

    EDIT: What's the salt thing?
     
  28. Offline

    I Al Istannen

    @Skrubzy
    Hmm. Any errors in the console? Works great for me. What version are you using?

    I like the /staffSecure, there also is tab completion for it, to keep it short. Makes it easier for me, but if you want I can change that. Just clutters things up and may conflict.

    The language file just contains every message, which makes it quite big.

    The config contains settings for nearly everything there is, so it is quite big too. If you have questions about it, just ask.
     
  29. Offline

    Skrubzy

    No, there's no errors in console but the PIN also doesn't get sent to console. I'll try a newer version in just a minute. And yes, could you please get rid of "staffsecure" before every command? Also, there's a few things in console where true/false are swapped as defined in the quote and a few spelling errors with can and can't (I explained that really poorly...I'm in a rush, sorry)
     
  30. Offline

    I Al Istannen

    Code:
    ===========================================
       Player 'FreezingFireball' generated a Token
             The token is 'ffaD'.
    ===========================================
    Result of invoking "/staffSecure getPin" as a user.
    If that is NOT the command you used, type "/staffSecure help" first.

    I will make the "/staffSecure" at the beginning toggelable in the config when I get the time.


    Listing the things which are wrong would be helpful :p
     
Thread Status:
Not open for further replies.

Share This Page