xAuth
xAuth v2.6.x
Authentication plugin for bukkit powered servers
About
xAuth is a second-factor authentication plugin that can be used to secure player accounts on your server. As the plugin has been enhanced over time, the direction and main purpose have expanded to new possibilities. Let's say you run a community page. With xAuth, players can authenticate using their forum accounts or using a web-driven account management system. It is also possible to get the credentials from a foreign database.
Important Notice
Before upgrading please read xAuth Documentation (external link). I have added documenation to my Confluence instance that will be updated over time. Permissions Node changed! If you get "command is restricted" you most likely did not check the release log.
Further Instructions can be found there.
Concept
The basic idea of this protection plugin is allowing players to register an account based on their player name and a supplied password and optionally their email-address. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.
Permissions (READ ME)
This plugin has the ability to block almost any action (including command execution) for guests and registered xauth players. It also does not use negated permissions in order to not interfere with existing plugins. Permissions are "allowed" or "restricted".
Important-Note:
In order to restrict certain actions executed by registered xauth players you need to restrict them since xauth players are trusted. This is different from guests since the default for guests is always "restrict" if not set since a guest is an unknown state. Guest nodes can also only be set via configuration and have the last say even if you might have the right to execute any command.
Please keep in mind in order to block admin commands you need to restrict them via xauth.restrict.player.command.xauth.* or add each command to a group.
This might be confusing at first but has its cons since you always can see if a permission is restricted or allowed via permission node and not via bullet point. More details can be found on page Permission-System
Features
- Before registering/logging in, players can't:
- Chat, execute commands, interact with objects (like levers or chests), move or pickup items
- Break or place blocks
- Receive or give damage, be targeted (followed) by hostile mobs
- Inventory and location protection
- Command TabCompletion including Configuration Node Browser!
- In-depth setting and message configuration
- Persistent login session through server restarts
- Player name filter and password complexity configuration
- Kick non-logged in (but registered) players after a configureable amount of time
- Fine graded Permission System that also allows you to block interactions or commands
- Permissions support (PermissionsEx, Bukkit, GroupManager)
- Kick or temporarily lockout the IP address of a player who fials to log in after a configureable amount of tries
- Custom, highly secure password hashing
- Authenticate yourself with /login <password>
- H2 / mySQL Database storage supported
- Authentication over URL (AuthURL) allows for connection to forum or website databases
- Auto-Updater (thanks to Gravity)
News
Checkout the News & Upcoming-Changes page for details.
Wiki
The Wiki is located on github.
Please visit the Github Project-Page and click on Wiki
Credits
All credits goes to CypherX from bukkit forums who created this plugin. Thanks for your work and long time support!
The old bukkit-thread can be found here
Contact
If you need help regarding the plugin please use the Issue Link in the navigation bar or contact me via private message.
@Rycerz16
@ottowilli555
Please send me a DM with startup log when xAuth is resolving Permissions. The important line is "Attached to" so be sure that this is included.
@oOBartekOo
And to be clear. I was going to delete this comment since it is invalid and will not fix any issues releted to guest permission nodes.
But instead let me clarify again: guest nodes do never query permission plugins. Only authenticated players will be checked against permission plugins. So if there is a problem with register, login, logout, quit command then it is not related to a permission plugin.
@ottowilli555
According to your log PermissionsEx is not used since the result was "Attached to Bukkit". See the message after checking if plugin is available.
I can only guess here but bukkit has an option that tells the server what plugin needs to be loaded first. In this case softdepend PermissionsEx. I do not know how Cauldron or any other server other than bukkit handle plugin.yml.
The plugin is only compatible with Bukkit-1.7.9-R0.2. Dont have tested it yet with any other server.
Most likely it will work with Spigot.
@Dadus2000
Check the server.log please. I believe you have the same issue as ottowilli555. PermissionsEx was not loaded before xAuth which means that xAuth will not use PermissionsEx as permission plugin.
@oOBartekOo
when using guest commands like register, login, logout, quit PermissionPlugins will be used to check for permission. This is entirely config related.
I.e. using register guest.allow.player.command.register will be checked in config.yml
xauth nodes in this case xauth.allow.player.command.register will only be checked when already logged in. There is no need to add permissions to the plugin.yml since this is only valid for bukkit permissions and even then xauth.allow is not needed to be added since the default would be OP.
Also using bukkit permissions it would require to use permissions.yml .. this is an entirely different topic.
@oOBartekOo
I'll try that.
@Dadus2000
@ottowilli555
You have to open the xauth WinRAR. and open notepad plugin.yml add permissions:
xauth.allow. *:
default: false
And it works properly as I did.
@ottowilli555
Yeah, same issue here, using spigot 1.8.3 and PEX. I gave the default group the xauth.allow.* perm and opped myself, but it still says I don't ave permission...
EDIT: I looked at your log, and it looks like xAuth ddn't even register group manager. Instead, it tried to use pex, failed, then tried to use bukkit. However that's not my case. From my log I can see PEX is hooked up properly, but still doesn't work.
@oOBartekOo: @Rycerz16:
I´ve got the same problem with Cauldron 1.7.10. I entered xauth.allow.* correctly in GroupManager 2.1.31 but have no permission to register, too, although I am op. Xauth (2.6.0) seems to not attech GroupManager correctly, although I add "gm" in config.
Here the log of xauth: Here the start log of xauth
@Rycerz16
you need to add permissions: xauth.allow.*
Works perfectly with Spigot 1.8.3 (tested)
Just gotta create folder lib on your server directory and add the H2 Library.
Thank you for uploading this.
Hopefully one day this will work under Spigot 1.8.3 :-) (not tested)
Just uploaded xAuth v2.6.0
Please read the release note attached to the file. I have added a new permission node that restricts usage of all admin commands since many of you give xauth.allow.* away simply because they want to use all foreign commands.
The new node is named xauth.security.player.use.admin.command
Technically you could add this as guest node too so make sure you dont add it and set it to true.
As for the new feature i was mentioning. I have delayed that for the next releases since i strugled a bit how to implement it safely. I found a way but im not that satisfied with it. Needs more testing. But since previous version introduced a bug where register command and login command does not work i had to release 2.6 earlier.
Just a short update:
I will release xAuth 2.6 tomorrow (Monday).
With 2.6 there will be changes to config command. I have added the ability to set, add, remove nodes from config so you do not need to go into config.yml and edit it there.
Added a new configuration node xauth.security since many of you set xauth.allow.* to disable xauth command and item filter and wonder why everyone can execute admin commands. This is especially useful when you already have PermissionsEx modifyworld enabled.
xauth.security comes with a new permission node that you need to set when you want to access admin nodes.
Previous you have given access to all admin commands when using xauth.allow.* this is now gone. This still means that someone can use all admin commands but only if xauth.security.player.use.admin.command is set. This should give you more power over admin command restriction. If you want to only give away specific admin commands you can still do this but have to add this special security node too.
I also added a new prefix node where you can deny certain player targets for xauth admin commands.
xauth.security.deny.command.xauth.<command>.<playername> would deny usage of that playername in that command. This is useful when you want to make sure that you do not get accidently removed by other admins or mods that can access admin commands.
Added a new command that can clean up unused playerdata xauth purge <player>. This command can be used to clear all playerdata for unregistered players.
Background: When you do xauth unregister player playerdata is still stored when the player is online at the moment having hide-inventory enabled since it logs them out and triggers inventory protect.
Using purge command you can clear that data so they will start with a new inventory. Currently when unregistering a player inventory stays in database when the player is online and register them again. Purge command will be later used for different uses like clear inactive users after a time. This is a planned feature.
Last but not least i optimized certain calls to permissions which should improve performance a bit.
A full changelog will be available until release.
@fr233 check-premium: true :)
can you add this feature:premium players don't need to register and login
in fact 1.8 is good,please update it to 1.8:)
@verreckdusau
this would be possible with spigot. Currently there are no spigot builds.
Just uploaded v2.5.1 this fixes usage of commnd /register for guests.
hei you gan add LoginQui ? (: