Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page:

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel ( #LoveDespite) or toss me a message at Until we meet again, stay gold. Bang.


    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
  2. Offline


    Working fine on my end and your configuration looks fine. Maybe it's a different plugin causing a conflict.

    From the errors in the log it looks like there's probably something wrong with your database file. Not really sure as I've never seen that error before.

    @decebaldecebal - Try reading at LEAST the last page.

    I'll make it configurable or remove it all together in the next update.

    Unless my username magically becomes available on BukkitDev, nope.

    The PHP script would probably be your best bet at this point. Check out the Password Hashing page on my Github's wiki, it may help.

    Probably caused by a player disconnecting from the server before a scheduled task that involved them could run. Nothing to worry about unless it constantly happens.

    has anyone really been far even as decided to want even go do look more like?


    In other news, I'm currently working on xAuth 2.0 Final.
  3. Offline


    02:23:46 [SEVERE] null
    org.bukkit.command.CommandException: Unhandled exception executing command 'register' in plugin xAuth v2.0b4.1
    at org.bukkit.command.PluginCommand.execute(
    at org.bukkit.command.SimpleCommandMap.dispatch(
    at org.bukkit.craftbukkit.CraftServer.dispatchCommand(
    at net.minecraft.server.NetServerHandler.handleCommand(
    at net.minecraft.server.NetServerHandler.a(
    at net.minecraft.server.Packet3Chat.a(
    at net.minecraft.server.NetworkManager.b(
    at net.minecraft.server.NetServerHandler.a(
    at org.getspout.spout.SpoutNetServerHandler.a(
    at net.minecraft.server.NetworkListenThread.a(SourceFile:105)
    at net.minecraft.server.MinecraftServer.h(
    Caused by: java.lang.ArrayIndexOutOfBoundsException: 0
    at com.cypherx.xauth.Util.argsToString(
    at com.cypherx.xauth.Util.fixArgs(
    at com.cypherx.xauth.commands.RegisterCommand.onCommand(
    at org.bukkit.command.PluginCommand.execute(
    ... 13 more
  4. Offline


    Thanks for your feedback CypherX :)
  5. Offline


    nice Plugin, works fine! But I got a question to you :)
    Can you maybe add to the Config that we can choose the password hash? For example hash = md5/salt or whatever. But I have a homepage to register and login. And it is all based on just a md5 hash without salt. And till I edited all on my homepage to the salt XAuth use I will need much time. Can you maybe add just a md5 hash, so that users can choose to use the salt one or just the md5 hash?
  6. can you do something like when you leave the server you automaticly log out and than when they join the server they need to login before they can see there inventory , place blocks , break blocks , etc.. ?
  7. Offline


    @nathanisme In your config, set Length, under session, to 0
    @Ethneldryt that's the feature to protect the location of players. C'est pour protéger la position des joueurs; c'est pas un bug.
  8. do anyone know a plugin that normal players can't fly but op's can?
  9. Offline

    Boon Pek

    Can anyone please create a XenForo auth.php? :O I tried editing the SMF one but I think the hashing is different :/
  10. Offline


    What is the command to change the password?
  11. Offline


    The plugin is not-working for me. Every command i use, shows me the list of avaible commands. Please help me.
  12. Offline


    Is there a way to see a list of all the registered names? I am using flatfile btw, not MySQL.
  13. Offline


    Hi, pretty nice plugin, but I have a few questions.
    made a clean install with only PEX (permissionEX) installed.
    When I join my server I hang in the air respawning every 0,5s and often the view is blinking ?
    Help is appreciated !
  14. Offline


    @CypherX ,

    Can you implement a simple API for this? I am working on some plugins related to this using Spout and I really need a event onPlayerLogin , which will happen when a player has successfully logged in (registering and autologin included.) So that I can make events happen once the player has logged in.

  15. Offline


    doesn't work for me
  16. Offline


    Hi guys!
    I just worked hard (because I forgot that php's substr isn't the same as java's substring) to get a working implementation of the Hashing Algorithm in PHP.
    So, for example, if you want to check your user passwords with some PHP application now it's possible.
    I made 2 codes, inspired (the variable names are the same, even the code xD) from the original source code.
    Here you are
    check_hashes function which works with check_hashes ( "somepasswordtheuserentered", $thereal_loong_hash ).
    function check_hashes $pass $realhash ) {
    $saltpos    = ( ( strlen ($pass) >= strlen ($realhash) ) ? ( strlen ($realhash) - ) : strlen $pass ) );
    $salt       substr $realhash$saltpos12 );
    $hashtemp   hash ("whirlpool", ( $salt $pass ) );
    $passhash   substr $hashtemp0$saltpos ) . $salt substr $hashtemp$saltpos );
    $passhash == $realhash;
    Then here is it the genhashedpass, which generate a random salted password.
    Useful for testing check_hashes if you have doubts :p (check_hashes ("something", genhashedpass ("something"))) which works with: genhashedpass ("password").
    function gethashedpass ($password) {
    $salt substr (hash ("whirlpool"microtime(true)), 012);
    $hash hash ("whirlpool"$salt $password);
    $saltpos = ( ( strlen ($password) >= strlen ($hash) ) ? ( strlen ($hash) - ) : strlen ($password) );
    substr ($hash0$saltpos) . $salt substr ($hash$saltpos);
    Just wrote these because I needed to interface a web application with xAuth.
    Oh, another thing, because I initially choiced the h2 db, I also made a little perl script which creates the INSERT queries for MySQL. Tell me if you are interested (obviously is free, man!). It works only when there is no e-mail confirmation and there is already a .sql backup of the h2 database (generable from java -cp path/to/bukkit/lib/h2.jar -url jdbc:h2:path/to/xAuth - NOTE that you shouldn't put .db at the end).
    That's all and sorry if I went off topic (and for my bad english in some parts).
  17. Offline


    You can use authURL to connect your website database to be used with xAuth. I'm thinking about adding different hashing methods in a future update.

    xAuth doesn't have a flatfile data source, it's either H2 (default) or MySQL. At the moment there's no built-in way to see a list of registered players. Alternative methods, such as manually querying the database will work though.

    When location protection is enabled, a player is teleported to the world's spawn or a custom set 'teleport location' (see commands). Your worlds exact spawn is probably that position in the air so just set a teleport location.

    I've thought about it before but don't really have any experience creating an API so I never got around to it. I guess since it's finally been requested I should take it seriously and see what I can do.

    @Robertof - Don't mean to rain on your parade, but I've provided PHP functions for hashing and comparing passwords here.
  18. Offline


    hm I know how to make it not necessary to register (force register = false) but its still necessary to login -.- is there a way to turn this off? so that just the people who are registered have to login?
  19. Offline


    @CypherX ,
    You can google Creating Your Own Event and I'm sure you'd end up with lots of useful results. All you need to do is create an event and people can import your jarfile to include the classes in their projects, and voila, they have triggers.
  20. Offline


    You pretty much contradicted yourself there. When forced registration is disabled those who are registered can't do anything until they log in, but those who are not registered can move about freely.

    I have a general idea of how it works from looking through the [Craft]Bukkit and Spout sources. I'm sure I won't have any trouble figuring it out.
  21. Offline


    Alright, can you give me an ETA?
  22. Offline


    Without having even started? No way. I'm in the middle of a major refactor of the xAuth source so I'll start on the API once I get close to finishing.
  23. Offline


    OK, and is it possible for me to develop a GUI using Spout and you include the class files in your own package, so I do not have to make any links between plugins?

    Oh. So you already do have a GUI. Any chance on how to activate it?

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 12, 2016
  24. Offline


    It hasn't been completed yet. Part of this refactor is to implement GUI-based login and registration (and possibly more) forms.
  25. Offline


    Hi, is this a problem with my MySQL server, or is it a xAuth bug?

    xAuth version: 2.0b4.1
    CraftBukkit build: 1060
    Description of error/bug: Error log:
    Other information: I dont know how to reproduce the error. The server does not crash. After this error happened, it just runs normally.
  26. Offline


    lol I haven't saw that page.. but anyway that coding just gave me more experience ^^
    By the way, keep the good work for the plugin, it's awesome! ^_^ (except for H2 because I really hate it XD)
  27. Offline


    How can i make xAuth not to allow people with spaces to register?
  28. Offline


    @CypherX Is it possible an option like a blacklist instead of only a whitelist of allowed characters ?
    For example, if I want to allow any char except the colon I can't.
  29. Offline


    If the servers are down and someone tries to use the normal client to login in offline-mode, it automatically names them 'Player' and xAuth won't allow them to sign in to their actual account.

    Please add support for a username argument for /register and /login.

    Sincerely, userNo99

    I recommend utilizing the auto-naming to 'Player' to enable the username argument if and only if their name is 'Player' and possibly adding a message notifying them of such.
  30. Offline


    xAuth version beta 4.1
    CraftBukkit version 1060
    No error log(no errors with databeses(using mysql) and etc. Players can register and login on the server)
    Some issues with this plugin

    When this plugin is enabled the option filter doesn't make effect
        # Minimum length a players name can be
        min-length: 2
        # Characters that may be present in a players name. Use an asterisk (*) to allow all
        allowed: 'ABCDEFGHOJKLMNOPQRSTUVWXYZ-=_()[]abcdefghijklmnopqrstuvwxyz'
        # If set to false, players with blank names can connect
        blankname: true
    Player with nickname 213 asd can connect an register on the server. When the permissionsex is disabled plugin works normally and this player kicks on the join with message Your name contains one or more illegal characters.
  31. Offline


    is there a way that you can set it so that people can talk when they are not loged in
Thread Status:
Not open for further replies.

Share This Page