Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page:

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel ( #LoveDespite) or toss me a message at Until we meet again, stay gold. Bang.


    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
  2. Offline


    Does this block OP command of non logged in people?
  3. Offline


    works like a charm on craftbukkit #556 :)

    it does
    hybridphreak, MrGKanev and pedrofrq like this.
  4. Offline


    Yes, it blocks all commands except /register and /login. In the future I might add the ability to configure which commands can be used.
  5. Offline


    I am currently using this plugin at my server. No problems so far, excellent work
  6. Offline


    Source Please :D
  7. Offline


  8. Offline


  9. Offline


    This plugin seems to eat your inventory if you join the server, don't log in, and leave the server. It could be coincidence but I've only seen my player's inventories get randomly nuked if their internet dropped out while trying to log in.
  10. Offline


    Updated to version 1.1.0, see first post. I wasn't going to release this update until I had the chance to add more features but I'm pushing it now to fix the bug brought to my attention by den.

    I remember explicitly testing this before the initial release but it seems something I changed in version 1.02 screwed it up. I recommend updating immediately to resolve this issue.

    On another note I'm currently working on an importer to convert the .db file used by AnjoSecurity into the flat-file format used by xAuth. Also expect new features and configurable settings soon.
    shemul likes this.
  11. Offline


    Problem solved in record time. Awesome support.
  12. Offline


    Does it support Authorize's database?
  13. Offline


    If you have Authorize configured to use a flatfile you can just change auth.db to auth.txt and it will work.
  14. Offline


    Sweet, thanks.
  15. Offline


    xAuth Importer, a utility to import the auths.db file used by AnjoSecurity to the flatfile format used by xAuth has been added to the end of the first post. You can also get it <Edit by Moderator: Redacted mediafire url>

    I have also added a Known Bugs to the first post to keep track of such issues.
    Last edited by a moderator: Dec 14, 2016
  16. Offline


    Please fix that bug soon :p Now thats the only thing stopping me from using this.
  17. Offline


    I used the importer, it did convert it, I pasted it on the
    correct folder. But when I start server and log in, it says Im not registered.

    First time I tryed to save file, it gave me a error about UTF8 stuff, but I pressed save again and it saved. Do anyone knows what is wrong?

    NVM, seems taht it sees OPs with another name than his name.

    Im experiencing a big lag at login, as I have a big server and 1000+ registrations. When player logs in, server lags for 3 seconds. I already had that lag with anjosecurity, thats why I changed to yours. Your plugin seems to have lowered the lag, but it is still present. :(

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 12, 2016
  18. Offline


    Could you provide the auths.txt file used by your server so I can test possible ways to fix the lag? Feel free to PM it to me if you don't want to publicly post it.
  19. Sweet :) Much appreciated !
  20. Offline


    Updated to version 1.1.1:

    • Version 1.1.1
      • Inventories are no longer lost if the server is stopped / reloaded when a player is not logged in.
      • (Possible) Lag reduction on servers with a large amount of players while a player who isn't logged in is connecting. (Needs to be tested on a large server)
      • Four new configurable settings in config.yml
      • /authreload can now be used in-game by Ops. (Will add Permissions support eventually)
  21. Offline


    I would really like to see something more secure than an MD5 hash for storing the passwords. There's rainbow tables everywhere for MD5, and it's pretty old.

    Other than that, I like this plugin. I'll be testing it out in a test server of mine before deciding to push it out to my production server.

    [EDIT] Actually, I have a few more suggestions. I'd like to see permissions support so that I don't have to put my mods in the OP file to give them permission to use the reload command. I'd also like to be able to change the passwords for any player if I have the "xauth.admin" permission node or something similar.

    And if it doesn't do this already, it'd be nice if the plugin would automatically detect when the server is started in offline mode, and enable/disable itself according to that parameter.

    Just some suggestions.
  22. Offline

    Brennan Mathers

    sad face :'( doesnt block out all commands, world edit still works when not logged in (its proply that op issue again!)
  23. Offline


    What other encryption would you want to see used? I was thinking about giving Whirlpool a try. Permissions support is coming soon, I just need to go read how to hook into it. The auto-detect if a server is running in offline-mode feature seems like a good idea, I'll see what I can do.

    Hm, I'll look into that. It might have something to do with the priority of the event.
  24. Offline


    Will we be able in any way to incorperate this through a website so that users don't have to sign up in game?

    Any ideas on how to?
  25. Offline


    Could create a registration script using PHP (or some other web development language) that writes to auths.txt.
  26. Offline


    i have got a bug for your known bugs list:
    whenever i login, my whole inventory is gone. //i know this is allright
    when i log in my inventory stays away! //this is not good
    i can do anything else, execute comands and so on, but i cant use my inventory.

    it allway say;"you are not registered, please type (...)"
    even i am registered

    i think it could be a nickname problem:
    the auths.txt file contains
    [farmer] §cnick§f§f:ae32ecc6b2106b904662efe4f28c6bf7
    instead of
  27. Offline


    Ah, I think I know the cause. I've been calling getDisplayName() to fetch a player's name instead of getName(). This will be fixed in the update which will be released tomorrow. Sorry for the trouble.
  28. Offline


    Does this plugin reset players' hp to max when they log in? If it doesn't, then I will certainly change from AnjoSecurity to this because that feature is very exploitable and cannot be turned off in AnjoSecurity.
  29. Offline


    No, it does not.
  30. Offline


    I'm having issues, nobody else but me has this problem. Everytime I get on the game it auto logs me in and my inventory always resets.
    CoOoD3R and prosay like this.
Thread Status:
Not open for further replies.

Share This Page