ClientID access control vs. player name

Discussion in 'Plugin Development' started by Javier, Apr 21, 2017.

  1. Javier

    Javier New Member

    Mar 12, 2017
    5
    1
    3
    Hello,

    I am creating a nukkit server to be used privately, but available on the Internet (to be able to play on the road). I have whitelisted it to only the selected users (by name). But my point is: is this secure enough? I mean that user names are usualy easy to guess (even by bruteforce or social hacking).

    I do not what to use any of the fancy login plugins, because it is to be used by kids and newbies, so I want them to just connect. So I have though of the following: create a new plugin that also whitelists client IDs: only the selected clientIDs would be able to connect. The combination of clientID + username makes it much harder to guess. Do you think it is overkill? Do you think the username whitelist only is secure enough? Why?

    Finally: I have readed the source code for nukkit and it seems pretty easy to add to the main server code (instead of as pluging). Do you think it would make sense to add it to the main code?

    Thanks,
    J
     
    Primus likes this.
  2. CreeperFace

    CreeperFace Member

    Jan 16, 2016
    97
    18
    8
    Male
    Everything that is possible to make in plugin you should make as plugin, because then you can simply update nukkit to newer version without modifing the code everytime. and I think id like 59be8aaf-260c-3f8e-83ab-5561c06370ea is enough. But players, can quite easy change their id by editing file or using toolbox, so I don't recommend to use it as absolutely unique ID, it works like there is not almost chance to find two players with the same ID, but also one player can have more IDs.
     
  3. Javier

    Javier New Member

    Mar 12, 2017
    5
    1
    3
    Good point. Right now, in the main code, I am merging from the master GIT branch. But I get your point, will go for the plugin approach if I can.

    The point is: who can I? The Plugin/CommandExecutor interface (and BasePlugin class) does not seem to have a way to intercept the Login procedure.

    I have just found that clientID is deprecated and I should use getUniqueId() (which is a UUID comming from the client during the connect phase, see Player.java:1941). No problem, I can do it. The point is: do any of you know if such UUID is confidential to the player? I mean, does a player somehow receive the UUID of other players as part of any other action (such as chat message or the like).

    I do not mind the players being able to change it. From the security point of view, the client is to be considered untrustable. If the player changes it, he will just not be able to connect until the admin whitelists him again.

    Also, if a player-person has more than one uuid, no problem, the admin just needs to whitelist both of them. No problem.

    Do anybody see any problem here?
     
  4. CreeperFace

    CreeperFace Member

    Jan 16, 2016
    97
    18
    8
    Male
    Idk how exactly UUID works, so i use it for autologin, If player change their UUID, its their problem and will have to login via command, but idk If UUID can be changed by itself. But If you want it for all players i do not recommend it because many players are not too smart, so they will change their UUID even If you tell them that they can't, and then they wont be able to connect.
     
    Primus likes this.
  5. Javier

    Javier New Member

    Mar 12, 2017
    5
    1
    3
    Hi,

    I have made some more code surfing. If I understand the code correctly, each player is sent the uuid of the rest of players when each user logs-in (see code below from Player.java).

    So using it as white-listing mechanism, as I was trying to do... well... it is slightly better than the standard whitelisting mechanism (which uses playername, which can be change directly from the UI of the client), but not very secure.

    Any other idea? I really do not want to bother my users, who are kids, with /login commands... I would like me to configure their clients once and let them forget.


    Code:
        protected void processLogin() {
    [...]
            this.server.sendFullPlayerListData(this);
    [...]
        }
        public void sendFullPlayerListData(Player player) {
            final UUID uuid = player.getUniqueId();
            PlayerListPacket pk = new PlayerListPacket();
            pk.type = PlayerListPacket.TYPE_ADD;
            pk.entries = this.playerList.values()
                    .stream()
                    .filter(p -> !p.getUniqueId().equals(uuid))
                    .map(p -> new PlayerListPacket.Entry(
                            p.getUniqueId(),
                            p.getId(),
                            p.getDisplayName(),
                            p.getSkin()))
                    .toArray(PlayerListPacket.Entry[]::new);
    
            player.dataPacket(pk);
        }
    
    
     
  6. Primus

    Primus New Member

    Oct 15, 2016
    7
    5
    3
    Male
    As @CreeperFace said, if their UUID changes, it's their fault and therefore must verify their identity via login command.
     
  7. Javier

    Javier New Member

    Mar 12, 2017
    5
    1
    3
    Does uuid really change on IP change? I have changed the IP of my cell phone (assigning a static IP though DHCP), but the uuid remained the same. However, uuid is shared with every other player, so not really private (not to be worried on my small private server, but worrable in more serious servers).