Revisit Master Auth Server and User Backend

[bbaez]

Hi everyone,

A while back there was a discussion about a master auth server. VanessaE brought up valid points about single point of failure but I want to revisit this again.

The issue I have is that there are hundreds of accounts on my server but many are stale because people don't remember their password. There is no recovery mechanism since people only create a username and password. I would like to have a backend authentication mechanism so that a minetest user could have a profile with email, phone number, etc. to facilitate a web based and/or MMS based password recovery.

This would also allow us to build a community with more interaction. Like right now my server keeps crashing, but a number of the same users keep trying to connect within minutes of restart. Would be great to know who they are for testing and comments.

Also, our K-5 school is interested in Minetest but they want to make sure that it is locked down to only their students so having a password requirement for each world would be great. ACLs would also be a great option.

• *Local Master server for Auth that reports up to Master List Server.
  *a. I envision I have a master server for authentication and listing of the different servers I am running which announces up to the Minetest community master listing server. This way there is no single point of failure for authentication, only my server "pod". I am familiar with coding in PHP with MariaDB (MySQL) so would work on that for authentication. Would be better if there already was something built for some other project though we could bring in to Minetest.
  
  * Password by world.

I think I had more but can't remember.

[Sokomine]

One existing way of confirming identity is to use diffrent channels. When a player forgot his password, but still remembers his forum or irc password, that might be a way to talk to the server owner and initiate a password change.

I would like to have a backend authentication mechanism so that a minetest user could have a profile with email, phone number, etc. to facilitate a web based and/or MMS based password recovery.

That's far too much information which is not even helpful in this context. The email address could be useful sometimes, but why do you want to know someones' phone number? The person behind the line might not even be able to communicate in English. And then there's the privacy violation that would cause.

I am familiar with coding in PHP with MariaDB (MySQL) so would work on that for authentication.

Why don't you create your own admin interface then? Something where you could allow players that have authenticated themshelves on your webserver to (re)set their Minetest password. That ought to be doable.

[kaeza]

It may be possible to cobble together a web interface, coupled with mods like external_cmd or other mechanisms like communicating between web backend and game server via local socket on the server.

There's also the (pretty much undocumented, I'm afraid) `register_authentication_handler` API function (see `builtin/game/auth.lua` for the built-in implementation).

As for e-mail, phone numbers, etc., that should be kept separate from the game, but I agree with Sokomine that phone numbers are not needed, and probably going to discourage players from using your server, or may even get you in legal trouble, but IANAL (e-mail is fine IMHO, as long as it is only used for recovery purposes and not for any kind of unwanted notifications, obviously).

[bbaez]

A very belated thank you for the comments. I have some time again to work on this, almost 2.5 years later and soon to be 7th grade kids are asking to play Minetest over the summer.