Jump to content
Search the Forums BEFORE making a new post.
Currently supported: All versions

Verifying players on a 3rd party server

Zethariel

By Zethariel
in Modder Support

 Share

Recommended Posts

Zethariel Stone Miner

Zethariel

Posted
Posted

Hello there.

 

Recently I've been developing a skin swap mod, one that allows you to upload your skin from the mod to a 3rd party server. Now that everything more or less works how it should, I have found myself stumped on the problem of securing any changes made to said skins.

 

The scenario: Player sends out POST to server with image data, his UUID and some other information. Server reads the image, stores it and updates database.

 

The problem: Anyone with a utility that can send POSTs can send a similar package and overwrite user's skin to anything. How to make sure that:

a) The player sending the data is the one owning the skin

b) The utility used to send the data is the Mod.

 

I've tried looking into Yggdrasil authentication, but it doesn't have a method to confirm to whom the security token belongs to - any valid token returns a positive response and would be a poor security measure.

 

I don't want to use the Authentication method, since it would invalidate the user's own Minecraft token, and I don't have a SSL certificate on my server.

 

At the moment I'm totally at a loss for what to do. I would appreciate any pokes in the right direction.

 

Thanks

I do pony stuff :3

Zethariel Stone Miner

Zethariel

Posted
  • Author
Posted

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

I do pony stuff :3

ovikk Stone Miner

ovikk

Posted
Posted

Make your mod have many secret passcodes sent with the messages. When the server gets the message, the server should then check if the passcode maches some decrypted versions stored. That way you can check if the sender is your mod.

 

Encrypt the entire message. That way, people can't see what you're sending in the package, and create their own packages out of that.

 

You should also send in the message, the location, where, when, and why the message was sent. Then check that data with your data, and see if it should update its content.

 

 

 

 

 

I might be terribly wrong.. Like really, really wrong. But I'm just trying to help.

Kloonder Creeper Killer

Kloonder

Posted
Posted

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

 

E-Mail? Something like that

Creator of Extra Shoes

 

Watch out, I'm total jerk, and I'll troll anybody if it feels like its necessary. Pls report me then

Draco18s Reality Controller

Draco18s

Posted
Posted

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

 

Salt and hash. Done.

Apparently I'm a complete and utter jerk and come to this forum just like to make fun of people, be confrontational, and make your personal life miserable.  If you think this is the case, JUST REPORT ME.  Otherwise you're just going to get reported when you reply to my posts and point it out, because odds are, I was trying to be nice.

 

Exception: If you do not understand Java, I WILL NOT HELP YOU and your thread will get locked.

 

DO NOT PM ME WITH PROBLEMS. No help will be given.

Zethariel Stone Miner

Zethariel

Posted
  • Author
Posted

Make your mod have many secret passcodes sent with the messages. When the server gets the message, the server should then check if the passcode maches some decrypted versions stored. That way you can check if the sender is your mod.

 

Encrypt the entire message. That way, people can't see what you're sending in the package, and create their own packages out of that.

 

You should also send in the message, the location, where, when, and why the message was sent. Then check that data with your data, and see if it should update its content.

 

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

 

Salt and hash. Done.

 

So basically add a crapton of data and work out my own encryption and decryption method. Okay, sounds good, I guess. Thanks!

I do pony stuff :3

ovikk Stone Miner

ovikk

Posted
Posted

Out of mere curiosity; HOW do you get a SSL certificate?

 

EDIT: added a word

I might be terribly wrong.. Like really, really wrong. But I'm just trying to help.

Zethariel Stone Miner

Zethariel

Posted
  • Author
Posted

You can make a secure (as in nobody can listen) SSL connection with a self-signed certificate. You will not be able to ensure however that the person on the other end actually is who they say they are. The only way to properly verify this is through an official SSL certificate. If you don't have one, you cannot make a secure connection (the option "make your own" does not count. SSL has been developed for MANY years and it still has bugs like heartbleed. Anything that you write on your own will be open like a hangar gate in comparison).

 

Yeah, I didn't want to do that. In the end, the data I'll be sending won't be sensitive in the way that obtaining them will give a potential troublemaker any edge. I'll just make sure to hash the messages sent well enough so they can't be decrypted too easily. I don't imagine many people would want to waste time on trying to crack an encoded minecraft POST message, while not being too obvious for those who would do it out of curiousity due to low security

I do pony stuff :3

ovikk Stone Miner

ovikk

Posted
Posted

Out of mere curiosity; do you get a SSL certificate?

I think there is a word missing here.

Oh my gosh, Oops!

 

My typing was a little fast. It was supposed to be *how*.

I might be terribly wrong.. Like really, really wrong. But I'm just trying to help.

Zethariel Stone Miner

Zethariel

Posted
  • Author
Posted

Out of mere curiosity; do you get a SSL certificate?

I think there is a word missing here.

Oh my gosh, Oops!

 

My typing was a little fast. It was supposed to be *how*.

 

You either buy it from a certified vendor or self-sign one yourself using OpenSSL (at least on Linux). But a self-signed one isn't really honored anywhere, and the webpage will still be displayed as insecure

I do pony stuff :3

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

Announcements



  • Recently Browsing

    • No registered users viewing this page.

  • Posts

    • vals_kenway
      Problem Sync Client-server for Entity Mount

      By vals_kenway · Posted

      Version 1.19 - Forge 41.0.63 I want to create a wolf entity that I can ride, so far it seems to be working, but the problem is that when I get on the wolf, I can’t control it. I then discovered that the issue is that the server doesn’t detect that I’m riding the wolf, so I’m struggling with synchronization. However, it seems to not be working properly. As I understand it, the server receives the packet but doesn’t register it correctly. I’m a bit new to Java, and I’ll try to provide all the relevant code and prints *The comments and prints are translated by chatgpt since they were originally in Spanish* Thank you very much in advance No player is mounted, or the passenger is not a player. No player is mounted, or the passenger is not a player. No player is mounted, or the passenger is not a player. No player is mounted, or the passenger is not a player. No player is mounted, or the passenger is not a player. MountableWolfEntity package com.vals.valscraft.entity; import com.vals.valscraft.network.MountSyncPacket; import com.vals.valscraft.network.NetworkHandler; import net.minecraft.client.Minecraft; import net.minecraft.network.syncher.EntityDataAccessor; import net.minecraft.network.syncher.EntityDataSerializers; import net.minecraft.network.syncher.SynchedEntityData; import net.minecraft.server.MinecraftServer; import net.minecraft.server.level.ServerPlayer; import net.minecraft.world.entity.EntityType; import net.minecraft.world.entity.Mob; import net.minecraft.world.entity.ai.attributes.AttributeSupplier; import net.minecraft.world.entity.ai.attributes.Attributes; import net.minecraft.world.entity.animal.Wolf; import net.minecraft.world.entity.player.Player; import net.minecraft.world.entity.Entity; import net.minecraft.world.InteractionHand; import net.minecraft.world.InteractionResult; import net.minecraft.world.item.ItemStack; import net.minecraft.world.item.Items; import net.minecraft.world.level.Level; import net.minecraft.world.phys.Vec3; import net.minecraftforge.event.TickEvent; import net.minecraftforge.eventbus.api.SubscribeEvent; import net.minecraftforge.network.PacketDistributor; public class MountableWolfEntity extends Wolf { private boolean hasSaddle; private static final EntityDataAccessor<Byte> DATA_ID_FLAGS = SynchedEntityData.defineId(MountableWolfEntity.class, EntityDataSerializers.BYTE); public MountableWolfEntity(EntityType<? extends Wolf> type, Level level) { super(type, level); this.hasSaddle = false; } @Override protected void defineSynchedData() { super.defineSynchedData(); this.entityData.define(DATA_ID_FLAGS, (byte)0); } public static AttributeSupplier.Builder createAttributes() { return Wolf.createAttributes() .add(Attributes.MAX_HEALTH, 20.0) .add(Attributes.MOVEMENT_SPEED, 0.3); } @Override public InteractionResult mobInteract(Player player, InteractionHand hand) { ItemStack itemstack = player.getItemInHand(hand); if (itemstack.getItem() == Items.SADDLE && !this.hasSaddle()) { if (!player.isCreative()) { itemstack.shrink(1); } this.setSaddle(true); return InteractionResult.SUCCESS; } else if (!level.isClientSide && this.hasSaddle()) { player.startRiding(this); MountSyncPacket packet = new MountSyncPacket(true); // 'true' means the player is mounted NetworkHandler.CHANNEL.sendToServer(packet); // Ensure the server handles the packet return InteractionResult.SUCCESS; } return InteractionResult.PASS; } @Override public void travel(Vec3 travelVector) { if (this.isVehicle() && this.getControllingPassenger() instanceof Player) { System.out.println("The wolf has a passenger."); System.out.println("The passenger is a player."); Player player = (Player) this.getControllingPassenger(); // Ensure the player is the controller this.setYRot(player.getYRot()); this.yRotO = this.getYRot(); this.setXRot(player.getXRot() * 0.5F); this.setRot(this.getYRot(), this.getXRot()); this.yBodyRot = this.getYRot(); this.yHeadRot = this.yBodyRot; float forward = player.zza; float strafe = player.xxa; if (forward <= 0.0F) { forward *= 0.25F; } this.flyingSpeed = this.getSpeed() * 0.1F; this.setSpeed((float) this.getAttributeValue(Attributes.MOVEMENT_SPEED) * 1.5F); this.setDeltaMovement(new Vec3(strafe, travelVector.y, forward).scale(this.getSpeed())); this.calculateEntityAnimation(this, false); } else { // The wolf does not have a passenger or the passenger is not a player System.out.println("No player is mounted, or the passenger is not a player."); super.travel(travelVector); } } public boolean hasSaddle() { return this.hasSaddle; } public void setSaddle(boolean hasSaddle) { this.hasSaddle = hasSaddle; } @Override protected void dropEquipment() { super.dropEquipment(); if (this.hasSaddle()) { this.spawnAtLocation(Items.SADDLE); this.setSaddle(false); } } @SubscribeEvent public static void onServerTick(TickEvent.ServerTickEvent event) { if (event.phase == TickEvent.Phase.START) { MinecraftServer server = net.minecraftforge.server.ServerLifecycleHooks.getCurrentServer(); if (server != null) { for (ServerPlayer player : server.getPlayerList().getPlayers()) { if (player.isPassenger() && player.getVehicle() instanceof MountableWolfEntity) { MountableWolfEntity wolf = (MountableWolfEntity) player.getVehicle(); System.out.println("Tick: " + player.getName().getString() + " is correctly mounted on " + wolf); } } } } } private boolean lastMountedState = false; @Override public void tick() { super.tick(); if (!this.level.isClientSide) { // Only on the server boolean isMounted = this.isVehicle() && this.getControllingPassenger() instanceof Player; // Only print if the state changed if (isMounted != lastMountedState) { if (isMounted) { Player player = (Player) this.getControllingPassenger(); // Verify the passenger is a player System.out.println("Server: Player " + player.getName().getString() + " is now mounted."); } else { System.out.println("Server: The wolf no longer has a passenger."); } lastMountedState = isMounted; } } } @Override public void addPassenger(Entity passenger) { super.addPassenger(passenger); if (passenger instanceof Player) { Player player = (Player) passenger; if (!this.level.isClientSide && player instanceof ServerPlayer) { // Send the packet to the server to indicate the player is mounted NetworkHandler.CHANNEL.send(PacketDistributor.PLAYER.with(() -> (ServerPlayer) player), new MountSyncPacket(true)); } } } @Override public void removePassenger(Entity passenger) { super.removePassenger(passenger); if (passenger instanceof Player) { Player player = (Player) passenger; if (!this.level.isClientSide && player instanceof ServerPlayer) { // Send the packet to the server to indicate the player is no longer mounted NetworkHandler.CHANNEL.send(PacketDistributor.PLAYER.with(() -> (ServerPlayer) player), new MountSyncPacket(false)); } } } @Override public boolean isControlledByLocalInstance() { Entity entity = this.getControllingPassenger(); return entity instanceof Player; } @Override public void positionRider(Entity passenger) { if (this.hasPassenger(passenger)) { double xOffset = Math.cos(Math.toRadians(this.getYRot() + 90)) * 0.4; double zOffset = Math.sin(Math.toRadians(this.getYRot() + 90)) * 0.4; passenger.setPos(this.getX() + xOffset, this.getY() + this.getPassengersRidingOffset() + passenger.getMyRidingOffset(), this.getZ() + zOffset); } } } MountSyncPacket package com.vals.valscraft.network; import com.vals.valscraft.entity.MountableWolfEntity; import net.minecraft.network.FriendlyByteBuf; import net.minecraft.server.level.ServerLevel; import net.minecraft.server.level.ServerPlayer; import net.minecraft.world.entity.Entity; import net.minecraft.world.entity.player.Player; import net.minecraftforge.network.NetworkEvent; import java.util.function.Supplier; public class MountSyncPacket { private final boolean isMounted; public MountSyncPacket(boolean isMounted) { this.isMounted = isMounted; } public void encode(FriendlyByteBuf buffer) { buffer.writeBoolean(isMounted); } public static MountSyncPacket decode(FriendlyByteBuf buffer) { return new MountSyncPacket(buffer.readBoolean()); } public void handle(NetworkEvent.Context context) { context.enqueueWork(() -> { ServerPlayer player = context.getSender(); // Get the player from the context if (player != null) { // Verifies if the player has dismounted if (!isMounted) { Entity vehicle = player.getVehicle(); if (vehicle instanceof MountableWolfEntity wolf) { // Logic to remove the player as a passenger wolf.removePassenger(player); System.out.println("Server: Player " + player.getName().getString() + " is no longer mounted."); } } } }); context.setPacketHandled(true); // Marks the packet as handled } } networkHandler package com.vals.valscraft.network; import com.vals.valscraft.valscraft; import net.minecraft.resources.ResourceLocation; import net.minecraftforge.network.NetworkRegistry; import net.minecraftforge.network.simple.SimpleChannel; import net.minecraftforge.network.NetworkEvent; import java.util.function.Supplier; public class NetworkHandler { private static final String PROTOCOL_VERSION = "1"; public static final SimpleChannel CHANNEL = NetworkRegistry.newSimpleChannel( new ResourceLocation(valscraft.MODID, "main"), () -> PROTOCOL_VERSION, PROTOCOL_VERSION::equals, PROTOCOL_VERSION::equals ); public static void init() { int packetId = 0; // Register the mount synchronization packet CHANNEL.registerMessage( packetId++, MountSyncPacket.class, MountSyncPacket::encode, MountSyncPacket::decode, (msg, context) -> msg.handle(context.get()) // Get the context with context.get() ); } }  
    • TileEntity
      Trying to play any world is stuck on 100% loading and shuts down computer

      By TileEntity · Posted

      Also make a test without EMF (Entity Model Features)
    • TileEntity
      Server Keeps Crashing When I Press E in Creative only

      By TileEntity · Posted

      Do you use features of inventory profiles next (ipnext) or is there a change without it?
    • TileEntity
      Duplicate mod issue on modpack startup

      By TileEntity · Posted

      Keep on this thread:  
    • TileEntity
      Duplicate mod issue on modpack startup

      By TileEntity · Posted

      Remove rubidium - you are already using embeddium, which is a fork of rubidium

  • Topics

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept