Configure AuthMe being optional

[EvilOlaf]

Hey there,

my idea was to use AuthMe as additional security layer for an online mode server.
Basically the registration should be completely optional. So all server features can be used unrestricted as AuthMe is entirely passive.

When a user decides to register with AuthMe, it will come into place and force a user after the next login to provide the proper password to be able to move, chat or whatever. All the stuff that AuthMe prevents from being executed when a user is not logged in.

So how would that increase security if it is optional?

Well actually Minecraft in online mode is pretty secure, but there are situations where you wish to have an additional layer of security which you can control personally. For example one of two siblings are is a team mate and share the same computer. The team mate did not log out of his Minecraft account and, well...everything is possible from this point.
There also other quite rare situations where an additional layer of security can help, like stolen login credentials from Mojang or hijacked sessions.

Unfortunately I was not able to configure AuthMe as described above yet...honestly unsure if it is even possible this way.

Thanks for reading.

[ljacqu]

Hi @EvilOlaf,

Thanks a lot for the detailed description. I wonder if it would suffice to set the following two values in your config.yml:

    registration: 
        # Only registered and logged in players can play.
        # See restrictions for exceptions
        force: false

# Somewhere else below
        allowAllCommandsIfRegistrationIsOptional: true

If not, this is basically a bug report and we need to fix whatever hinders unregistered players from playing normally with those settings.

[EvilOlaf]

Hey @ljacqu,

Actually setting registration force to false was my first attempt to configure this the way described above.

After setting allowAllCommandsIfRegistrationIsOptional and allowChat to true in a first look everything looks normal.

However a small bug was discovered as authme reload did not have an effect when changing allowAllCommandsIfRegistrationIsOptional to true. Had to do a clean restart.

Another minor thing that I discovered was that the permission description at http://dev.bukkit.org/bukkit-plugins/authme-reloaded/pages/permissions/ are incorrect in two ways.
Firstly the nodes seem to be called authme.player.register instead of authme.register and secondly they are not true at default.
Probably the same with authme.login and so on....

Anyway. After I figured the permission stuff out I was able to create an account for myself and indeed was being nagged for the password as expected.
The major problem at this point is that I can use all other server commands which were available for my user group while being nagged for the password. Also using chat is possible.
The inventory is empty and moving does not work which is wanted.

Btw. Spigot 1.8.8 with 5.2-SNAPSHOT-b887

Summary

• Fix documentation where needed (permission nodes)
• Fix authme reload for missing options
• Fix situation where player is not logged in but can take action.

[sgdc3]

if force: false we should disable every security check (all the listeners)
What do you think? @ljacqu @DNx5 @games647

[ljacqu]

Sounds good—I can take a look at this after I merge my current branch.

[sgdc3]

Ok, thanks @ljacqu ;)

[ljacqu]

@EvilOlaf @sgdc3 @acidbyt3—request for comments

Sorry for the long wait. I had an extended look at this now and I can't find anything wrong. If force register is not enabled, players who are not registered can go about their way (use commands, interact with entities, get hungry, ...) without any message from AuthMe. If a player is registered, as long as he does not log in, disallowed commands are blocked and no possibility of interaction (cannot drop items, etc.)

It's important that the following option be NOT set to true, i.e.:

    allowAllCommandsIfRegistrationIsOptional: false

[sgdc3]

@ljacqu are you sure? We don't have any check that excludes event listener if reg is not forced :/

[ljacqu]

We do: typically we call a method on ListenerService, which does little more than calling Utils#checkAuth(). That method is aware of the force thing :)
Honestly, try it out. Maybe I missed something but things behaved as I expected them to.

[EvilOlaf]

@ljacqu I took another look at it and you were right. It seems to work as expected with allowAllCommandsIfRegistrationIsOptional set to false. 👍

Anyway, please do not forget about the other minor stuff I mentioned above ;).
I also noticed another minor thing. When registration is optional and a player gets unregistered by console (probably the same effect if the player would have permission to unregister himself) he gets nagged to register himself. A relog fixes this.

[sgdc3]

@ljacqu what about the allowallcommands option?

[sgdc3]

line 130 of the player listener @ljacqu

[ljacqu]

@EvilOlaf Sorry it took so long just to reply with "make sure this setting isn't enabled" 🐙
The other things you've mentioned:

• updating permission nodes is on @sgdc3's side (Update permission nodes on Bukkit page #671)
• /authme reload will be fixed when we manage our services differently ([Dev] Revise instantiation / remove static injections in main class #432), I've been thinking a lot about this one and should start development on it soon
• I'll check about the unregister thing; when I tested it with the non-admin /unregister I think it worked well. Will report back

@sgdc3 I haven't really looked at that setting in detail, since it's not part of this issue. What happens if you set it to true? It was added by you in https://github.com/AuthMe-Team/AuthMeReloaded/commit/4c265f18797284ce017a327675dcf0396265ce70
If registration is not forced and that setting is enabled, any user can perform any command, no matter whether unregistered, not logged in, or logged in. But other things—like damage, movement, chat—seem to behave the "old" way (prevent events if registered but not logged in)

[EvilOlaf]

No worries. I spend an awful lot of time testing my stuff before using it in production. So several month of waiting time are normal :P

[sgdc3]

Atm i'm abroad, i'll update perm nodes asap

[ljacqu]

@EvilOlaf Thanks for being so cool about it ^^ Had a look at /authme unregister and it should now be similar to the behavior of /unregister, i.e. player can continue going about his way with optional registration even when an admin unregistered him.

[ljacqu]

Closing: no answer, assuming it was completed.

[EvilOlaf]

Sorry, missed that totally. Did not test anything there yet, maybe somewhen in the future.

[ljacqu]

@EvilOlaf No worries! If something comes up, please feel free to reopen this or create a new issue :)

[EvilOlaf]

Probably creating a new one as I do not have permission to reopen this ;)

[sgdc3]

Just tag me if you want to reopen ;) @sgdc3

[EvilOlaf]

Will do <3