[WEB] Check if a request is from a server

Dear Developers,
I am creating a new plugin that requires you to register from a website, and then get your AuthKey. Then, by setting the authkey on the plugins settings, your plugin is ready to go! Although, this plugin will use some sensitive information, so i'd like to make sure that only a Minecraft Server can access the website, and not just anyone else. So here's what i have done until now:

• Added the AuthKey for each IP,
• Added a custom User Agent that can access the website.

Still though, anyone can bypass that if they have some knowledge for it.
So here is what i am asking for:
Is there any way i can make sure that the website is accesed by a server only? So i can see like that the website that accessed the website was xxx.xxx.xxx.xxx:MineCraft Port.
Do you also have any other suggestions for security issues and how to build a better security?
Thanks alot Developers,
Kind regards,
vasil7112

 

This doesn't really belong in Plugin Development.

 

mattrick16
He's asking for help making a plugin but got stuck on authenticating the server.

 

Oh I thought it was the other way around, how to check if the request on the website is from their server.

 

How you are almost the first that everytime posts on my comments?
Thanks alot for clearing this out for me

 

vasil7112
No worries

Found some code:

PHP:

public String getIP() {
    String str;

    URL connection = new URL("http://checkip.amazonaws.com/");
    URLConnection con = connection.openConnection();
    BufferedReader reader = new BufferedReader(new InputStreamReader(con.getInputStream()));
    str = reader.readLine();

    reader.close();
    
    return str;
}

Apparently, this relies on an outer source to determine the ip, in this case checkip.amazonaws.com, and reads the output of the page. Clever.

mattrick16
I made that mistake all the time back in the day

 

xTrollxDudex
Oooh clever! Remember to close that reader!
By the way just curious, any benefit from using URLConnection.getInputStream as oppose to URL.openStream?

 

Xacero
Preference really, I have no idea what the difference is.

 

Is there any way though to get also the Port? Because here is what i though:
If a user was on a VPS, and each server had different Port(25565, 25566, 25567 e.t.c) the user that would first register for the AuthKey would also have the same AuthKey for all the other servers on the same IP on different Port.
As result i can create an AuthKey Per IPort

Oh yea also:
I tried to use SERVER['ADDR_PORT'](PHP) but it gave me the user port only. I need the server port, so ADDR IP won't help

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Er... I'm confused.

First of all- if you have a plugin running that is making calls out to a server, it's not going to be originating from the MC port. The one has nothing to do with the other, and it will get randomly assigned a port by the TCP stack when negotiating the HTTP connection, just like a browser would.

Quick note about the normal warnings regarding collecting data from your plugins.. make sure your users/admins are aware of what you're doing.... privacy concerns and all that.

Anyway, since you're not ultimately in control of the client code this might be very difficult to do and keep secure. A public/private key challenge/response might work- but you'd have to embed the private key in your plugin, meaning anyone can download the plugin and likely pull it out if they want to be malicious.

Anyway, short answer is there is no way to really tell that a connection is "from a server" - you have to implement your own handshaking with whatever level of security makes you feel comfortable. Generally it'd be better to make sure your server is robust and can handle connections from potentially malicious people, it's going to happen no matter what you do

 

Thanks alot for the info.
Well, hopefuly i will do as much as i can to make it as secure as possible!