feat(premium): cryptographic session verification for premium bypass#3019
feat(premium): cryptographic session verification for premium bypass#3019
Conversation
TuxCoding
left a comment
TuxCoding
left a comment
There was a problem hiding this comment.
I hope you don't mind my many comments :D
There was a problem hiding this comment.
I performed a CodeRabbit review in TuxCoding#14 and it found some noteworthy things. I copied the relevant things here.
TuxCoding
left a comment
TuxCoding
left a comment
There was a problem hiding this comment.
How did the translation files broke? :D
The pending verification looks good so far.
|
if you are doing /premium then rejoin and login it says you're already logged in |
|
and what will happens if the license name will be changed, account will be locked? |
Should be fixed with ec5038a
During the /premium process, you're kicked, you have to re-login to enable the premium feature completely. If you change your account name later, you'll may have to /login & /freemium + /premium again, but you won't be locked |
|
everything works |
|
we still use sessions even tho we dont need if we already use premium mode |
|
|
Why we store only online uuid in the db? |
|
Everything works now feel free to merge |
…bypass - fix(messages): restore UTF-8 encoding in de/br/et translation files - fix(premium): avoid removing fresh cache entry on expiry check - fix(premium): use Bukkit async scheduler and refresh proxy carrier player - fix(premium): cache updating workflow was broken - fix(premium): Re-order session handling, so premium user don't consume session uselessly - fix(premium): Correctly select translated the kick message - feat(proxy): send premium ids list in chunk for large lists
4 participants
Requirements
are using proxy mode (see "Behind a proxy" on docs/premium.md).
How it works
When a premium-enrolled player connects, AuthMe intercepts the Minecraft login handshake at
the packet level:
sequenceDiagram autonumber participant C as Client participant S as Server (AuthMe + PacketEvents) participant M as Mojang C->>S: LOGIN_START (name) Note over S: ① DB: isPremium → true (async) S->>C: ENCRYPTION_REQUEST (RSA-1024 Key + Random Token) rect rgb(240, 240, 240) Note right of C: Client starts encrypting outbound traffic C->>M: POST /session/minecraft/join C->>S: ENCRYPTION_RESPONSE (enc sharedSecret + Token) end Note over S: ② RSA-decrypt sharedSecret (sync/event-loop) Note over S: ③ Install AES/CFB8 Netty ciphers (sync, client sends encrypted from here) S->>M: ④ Verify token + GET /hasJoined (async) M-->>S: {uuid, name, properties} Note over S: ⑤ Store verified UUID (60s TTL) Note over S: ⑥ Re-inject LOGIN_START S->>C: Login Success rect rgb(230, 245, 230) Note over S: AsynchronousJoin: Note over S: getVerifiedUuid(name) == auth.getPremiumUuid() -> Success / Auto-Login end