AuthMeReloaded icon indicating copy to clipboard operation
AuthMeReloaded copied to clipboard
verified publisher icon AuthMe

Add option to change plugin messaging channel in configuration.

Open Rollczi opened this issue 4 years ago • 5 comments

Linked: https://github.com/AuthMe/AuthMeReloaded/issues/1827

Rollczi avatar Oct 27 '21 21:10 Rollczi

After this update, it will be able to be supported without any problems AuthMe on Velocity https://github.com/LiteDevelopers/AuthMeLiteVelocity

Rollczi avatar Oct 27 '21 21:10 Rollczi

The main concern with this option is that when a channel different from the "BungeeCord" one is used there is nothing preventing clients to inject messages and bypass the login request. (BungeeCord proxy ensures that the client can't send messages on the "BungeeCord" channel)

sgdc3 avatar Oct 31 '21 01:10 sgdc3

The only possible solution I can think of is to force the server owner to set a shared secret when the used channel is not the default "BungeeCord" one. Idk, it's just an idea.

sgdc3 avatar Oct 31 '21 01:10 sgdc3

@sgdc3 https://github.com/LiteDevelopers/AuthMeLiteVelocity/blob/0d93d8f3f1ce388115fcc0678294da99efac9956/src/main/java/fr/xephi/authmevelocity/listeners/VelocityMessageListener.java#L46 this check should solve the problem

a similar solution can be found in fastlogin plugin for velocity: https://github.com/games647/FastLogin/blob/d2c94af4a776b93c52fa97fd5636aa3924ca7af3/velocity/src/main/java/com/github/games647/fastlogin/velocity/listener/PluginMessageListener.java#L72

I guess that should prevent this from happening, if not, then maybe it will try to solve it with a secret key.

Rollczi avatar Oct 31 '21 22:10 Rollczi

@sgdc3 https://github.com/LiteDevelopers/AuthMeLiteVelocity/blob/0d93d8f3f1ce388115fcc0678294da99efac9956/src/main/java/fr/xephi/authmevelocity/listeners/VelocityMessageListener.java#L46 this check should solve the problem

a similar solution can be found in fastlogin plugin for velocity: https://github.com/games647/FastLogin/blob/d2c94af4a776b93c52fa97fd5636aa3924ca7af3/velocity/src/main/java/com/github/games647/fastlogin/velocity/listener/PluginMessageListener.java#L72

I guess that should prevent this from happening, if not, then maybe it will try to solve it with a secret key.

I gave a quick look at provided solutions, if I am not mistaken the problem @sgdc3 is referring to is not verifying if a message is coming from a server (both the links refer to a proxy env recieving a message from a server) but veryifing if it is coming from the proxy while beeing a server. I have zero knowledge on velocity but if a channel doesn't provide a local setting, as BungeeCord channel does, an user will be able to send a plugin message emulating a proxy login request that we take as valid. A solution, as @sgdc3 already stated, would be to validate a secret (as done in FastLogin for example) or finding a local setting in velocity channel system.

hex3l avatar Nov 30 '21 06:11 hex3l