Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page:

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel ( #LoveDespite) or toss me a message at Until we meet again, stay gold. Bang.


    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
  2. Offline


    MySQL is more advanced (in terms of manipulation through querying), doesn't require an outside library (included in craftbukkit), and makes my life a hell of a lot easier.

    See my first answer to Hydrosis.
  3. Offline


    CypherX I love the H2, if you haven't completely made up your mind, please consider leaving it in as an option!
  4. Offline


    I must agree with LImDI.

    My server has had its MSQL reset 3 or more times and its a massive server, I could not afford to have Xauth hooked into it with this amount of players.

    I would like yo ask you to keep an offline DB that is not hooked into MSQL. If you do decided on this, could i please request a convert from Authme to your new database?
  5. Offline


    As long as xAuth still has AuthURL, I'm set. ;D
  6. Offline


    can you make so people who have the real minecraft launcher dont have to login and register but people with cracked client have to register and they cant use the name of a existing player who is using real launcher
    kernet and Anthony13 like this.
  7. Offline


    There is also a bug with the enchantments..
    Please check that also..
    Don't forget we are waiting you for the new versions!
    Anthony13 likes this.
  8. Offline


    Discussed before, not possible unless Craftbukkit is directly modified or I require players to specify their actual Minecraft password, which isn't going to happen.
  9. Offline


    Hmm, I would like it if h2 is still supported, but if I guess I could switch to mySQL.
  10. Offline


    I was just going to ask this, will you keep authURL support? It seems quite a few people besides me use it, and further up in this thread someone even contributed a script for phpBB support.
  11. Offline


    Of course. I was thinking of adding a better implementation of it or working directly with you (if you were still around).
    robxu9 likes this.
  12. Offline


    Right now the second line is supposed to be displayed in the entirety if it is an error, and is the 'forum name' if it is successful. I think instead the second line should just be displayed in its entirety every time, so the messages are 100% customizable in the server-side script, which needs to be written/modified by whoever is implementing it anyway.

    Other than that, I don't see much to anything that needs changed, but what did you have in mind? Perhaps adding an option to hash the pass with a certain algorithm before sending it might be nice, but it would have to be customizable. :)

    I am still around though, you can contact me on here or through github, I'm watching your github repo for updates, so I'll see an issue if you post it or something.
  13. Offline


    Enchant ments get removed from this
  14. Offline


    CypherX Why is this under re-development? and ETA? D:
  15. Offline


    Because I haven't been here for ~5 months and it's a buggy clusterf*ck. And I already answered about an ETA.
    robxu9 likes this.
  16. Offline


    Odd, never saw it. xAuth as always worked for me (Since EARLY 1.0)
  17. Offline


    Don't worry, i didn't make any big changes, i just followed your lines and added a column in the inventory table for store the enchant information of the items, also the code it's available if you want to see the workaround (i tried to do a pull request but i got losted in the way, im pretty new in java develop and git =/).

    Also i maded a quite more modifications of your plugin and i think they are nice additions! I added an option to hide the login and logout messages of the players, and i extended the AuthURL mode to be possible to use /register to get registerd in the forums from the game! I achived this adding more parameters to the AuthURL function, the email and the "mode", also they are sent in the post request when you call the page ( i did a bridge for phpBB too, if you want i can post it ).

    Hope you can add those opts too, they are quite easy and nice :D.

  18. Offline


    What about CraftBukkit addon? Like it was with early anti-xray version.
  19. Offline


    It's been quite a while but I think it involved exposing some kind of session ID so that it can be passed to to check it's validity.
  20. Offline


    How to upgrade from version 1.25 to 3. if the hash without salt auths.txt?
  21. Offline


    when is this plugin going to be out? i was updating alot of my plugins, mustve came here late for u to remove the download, been checkn back since the 17 ithink
  22. Offline


    The did some reserach about detecting if a player is using an account or not. My conclusion: It would be possible but only if:
    • The username/password is stored on the server or
    • The user installs a client mod.
    Login process on an online server (the user has already logged in to
    1. [Client -> Server] Handshake. Send Username.
    2. [Server -> Client] Handshake. Server sends a randomly generated server ID (different for every user)
    3. [Client ->] Send "Join Server" requset. Data sent: Username, ServerID, session ID. If does not answer with "ok" (=valid minecraft account) the login process will be aborted.
    4. [Client -> Server] Login request. Send username
    5. [Server ->] Check for successful "Join Server" request. Send Username and ServerID. If does not respond with "yes" the connection is dropped.
    6. Login OK - Check Black-/Whitelist, Player count,...
    Login process on an offline server:
    1. [Client -> Server] Handshake. Send Username.
    2. [Server -> Client] Handshake. Server sends the string "-"
    3. [Client -> Server] Login request. Send username
    4. Login OK - Check Black-/Whitelist, Player count,...
    The problem is that there are only two server modes:
    Online: "Server and Client are connecting to to check if the "join Server" request is OK - If this check is not successfull the connection is dropped"
    Offline: "Accept any connection"

    To add a "/register only for offline player"-feature to xAuth, a new operation mode wold be required: "Connect to - try the "Join Server" request - if it fails switch to offline mode for this user.

    I can see only two ways to achieve this:
    • Fake the whole "Join Server" request server-side. You need to store the clear-text password for every user with an account.
    • Modify the client and the Server (Client: Mod; Server: Mod or Plugin (using Reflection and/or java.lang.instrument)
    Conclusion: Possible but solution is not realy acceptable.​
    Anthony13 likes this.
  23. Offline


    I already stated that I'm not going to give an ETA.
  24. Offline


    oh sry, didnt no, wasnt gonna read posts of 55 pages if u already said it. :) ..cant post one of ur old erlier versions or anything like that? :)
  25. Offline


    The latest version is five months old and bugged, you don't want it.
  26. Offline


    ok, thanx to save my time lookn back into my bkup plugins and of my old world :D
  27. Offline


    What's the most popular/widely used Permissions plugin these days?
  28. Offline


    So do I need a mysql for this?
  29. Offline


    I would say PEX and bPermissions.

    Everything working with these 2 plugins should work with everything else, too.
    Anthony13 likes this.
  30. Offline



    I started getting this error message in my console yesterday; I'm not sure why, because I didn't change anything...

    Any thoughts?

    24.02 00:08:30 [Server] INFO [xAuth] MissPicket has logged in
    24.02 00:08:25 [Server] INFO Please contact one of the authors of plugin 'xAuth': CypherX
    24.02 00:08:25 [Server] INFO This error is logged only once: it could have occurred multiple times by now.
    24.02 00:08:25 [Server] INFOat
    24.02 00:08:25 [Server] INFOat com.cypherx.xauth.xAuth$
    24.02 00:08:25 [Server] INFOat org.bukkit.craftbukkit.entity.CraftEntity.teleport(
    24.02 00:08:25 [Server] INFOat org.bukkit.craftbukkit.entity.CraftPlayer.teleport(
    24.02 00:08:25 [Server] INFOat org.bukkit.plugin.SimplePluginManager.callEvent(
    24.02 00:08:25 [Server] INFOat org.bukkit.plugin.RegisteredListener.callEvent(
    24.02 00:08:25 [Server] INFOat$103.execute(
    24.02 00:08:25 [Server] INFOat java.lang.reflect.Method.invoke(
    24.02 00:08:25 [Server] INFOat sun.reflect.DelegatingMethodAccessorImpl.invoke(
    24.02 00:08:25 [Server] INFOat sun.reflect.GeneratedMethodAccessor70.invoke(Unknown Source)
    24.02 00:08:25 [Server] INFOat org.bukkit.event.Listener.onPlayerTeleport(Listener:0)
    24.02 00:08:25 [Server] INFO java.lang.IllegalAccessError: Synchronized code got accessed from another thread: com.cypherx.xauth.xAuth$2
    24.02 00:08:25 [Server] WARNING Could not properly handle event PLAYER_TELEPORT:
    24.02 00:08:25 [Server] INFO [SuperSpawn] Player teleported to previous location.
    24.02 00:08:25 [Server] INFO [SuperSpawn] Player found
  31. Offline


    Hello all! There is a very big bug in this plugins, i think all admins knows it: anyone can become OP if he know only admin's nickname. Please, fix it.
Thread Status:
Not open for further replies.

Share This Page