[Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by sorcerykid » Post

Thanks for the debug output. I see what is happening now. The database is being read in binary mode, however the awk script is writing the database as a text file. Windows treats text files differently than binary files. So a quick fix is to edit the convert.awk script as follows:

Insert the following line of code immediately after BEGIN { on line 22:

Code: Select all

     ORS = "\n";
Now run the convert.awk script just as you did before, and this time the files should be correctly generated.

Sorry about the confusion. I'm not sure why I settled on binary mode in the first place :-/ I think it's a holdover from the builtin auth handler of Minetest. Since I tested the awk scripts on Linux, I admittedly didn't catch this bug.

lilo
Member
Posts: 54
Joined: Sat May 27, 2017 14:45

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by lilo » Post

Hi,

i have now an working Auth mod :) but when i use "/auth", my server will crash:

Code: Select all

2019-03-02 19:39:42: ERROR[Main]: ServerError: AsyncErr: ServerThread::run Lua: Runtime error from mod 'auth_rx' in callback on_chat_message(): ...4.17.1-win64 Servertest\bin\..\mods\auth_rx/commands.lua:734: attempt to call field 'create_form' (a nil value)
2019-03-02 19:39:42: ERROR[Main]: stack traceback:
2019-03-02 19:39:42: ERROR[Main]: 	...4.17.1-win64 Servertest\bin\..\mods\auth_rx/commands.lua:734: in function 'func'
2019-03-02 19:39:42: ERROR[Main]: 	....1-win64 Servertest\bin\..\builtin\game\chatcommands.lua:30: in function <....1-win64 Servertest\bin\..\builtin\game\chatcommands.lua:9>
2019-03-02 19:39:42: ERROR[Main]: 	...4.17.1-win64 Servertest\bin\..\builtin\game\register.lua:420: in function <...4.17.1-win64 Servertest\bin\..\builtin\game\register.lua:400>
I'm kind of out of luck with these things. :/

greets

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by sorcerykid » Post

No worries. Both chat commands require the ActiveFormspecs mod, which is listed as a dependency in the first post:

https://content.minetest.net/packages/s ... formspecs/

For the next release, I'll be sure to provide the above link in the readme file so there's no confusion. I've also made note to improve exception handling, so the server doesn't crash in these situations (the /fdebug command already has a sanity check) and also to fix the conversion scripts so they are Windows compatible and easier to use :) Thanks for bringing these issues to my attention!

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by bosapara » Post

Have the same problem as lilo, but adding ORS = "\n"; to convert.awk can't help.

Any advices?

Image

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by sorcerykid » Post

It appears that this is still related to the discrepancy with line-endings. I can see that the error is occurring during validation of the database header. Either that, or else the awk conversion script is not generating the correct database header. I admittedly didn't test the awk script on Windows. So it may be a simple oversight on my part.

Ultimately, I plan to switch Auth Redux to text-mode rather than binary-file handling. But in the more immediate term, I'll try to get a hot fix together for Windows users that resolves this issue once and for all. Thanks for bringing this to my attention.

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by bosapara » Post

Database header added successfuly as we can see. Added screen of line-endings bellow, maybe this is the issue.

Image

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by sorcerykid » Post

If you would be so kind as to share the sequence of commands you issued from the command line as well as the debug log output, that would better help for me to diagnose the problem. If there's any sensitive information, you can feel free to PM me instead.

Many thanks!

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx

by bosapara » Post

Let it be in public, possibly will help to another players to install it.

All commands from CMD:

Code: Select all

C:\Users\pirozhok>cd Users

C:\Users\pirozhok\Users>awk -f convert.awk -v mode=install auth.txt
Installing the required journal and ruleset files...
Converting auth.txt...
Done! 142603 of 142603 total records were imported to auth.db (0 records skipped).

C:\Users\pirozhok\Users>
Info from minetest debug:

Code: Select all

2020-02-01 14:18:16: ACTION[Main]: Reading authentication data from disk...
2020-02-01 14:18:16: ERROR[Main]: Invalid header in authentication database.
2020-02-01 14:18:16: ERROR[Main]: ModError: Failed to load and run script from F:\0.4.16\main\bin\..\mods\auth_rx\init.lua:
2020-02-01 14:18:16: ERROR[Main]: F:\0.4.16\main\bin\..\mods\auth_rx/db.lua:197: Fatal exception in AuthDatabase:reload( ), aborting.
2020-02-01 14:18:16: ERROR[Main]: stack traceback:
2020-02-01 14:18:16: ERROR[Main]: 	[C]: in function 'error'
2020-02-01 14:18:16: ERROR[Main]: 	F:\0.4.16\main\bin\..\mods\auth_rx/db.lua:197: in function 'db_reload'
2020-02-01 14:18:16: ERROR[Main]: 	F:\0.4.16\main\bin\..\mods\auth_rx/db.lua:271: in function 'connect'
2020-02-01 14:18:16: ERROR[Main]: 	F:\0.4.16\main\bin\..\mods\auth_rx\init.lua:141: in main chunk
2020-02-01 14:18:16: ERROR[Main]: Check debug.txt for details.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

Great news! My PR #9574 was just merged this morning. That means it will be possible to accurately track successful logins in the database, rather than resorting to awkward workarounds. This will definitely help with state-based ruleset filters.

I'll try to get an update ready in the next few weeks with support for these new features!

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by bosapara » Post

Small review: works really fast, recommend.

Tried both versions. Main version of auth_rx crashed once, lite version does not turn on at all.

error from main:

Code: Select all

ERROR[Main]: ServerError: AsyncErr: ServerThread::run Lua: Runtime error from mod 'auth_rx' in callback on_auth_failure(): ../auth_rx/watchdog.lua:22: attempt to index local 'meta' (a nil value)
ERROR[Main]: 	../auth_rx/watchdog.lua:22: in function 'on_failure'
ERROR[Main]: 	../auth_rx/init.lua:28: in function '?'
ERROR[Main]: 	.../builtin/game/register.lua:453: in function <.../builtin/game/register.lua:437>
error from lite:

Code: Select all

ERROR[Main]: ServerError: AsyncErr: ServerThread::run Lua: Runtime error from mod 'auth_rx' in callback on_prejoinplayer(): .../auth_rx/init.lua:363: attempt to call field 'select_record' (a nil value)
ERROR[Main]: stack traceback:
ERROR[Main]: 	.../auth_rx/init.lua:363: in function <.../auth_rx/init.lua:362>
ERROR[Main]: 	.../builtin/game/register.lua:453: in function <.../builtin/game/register.lua:437>

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

Thanks for the heads up. Which build of Minetest are you using?

There's a chance that the first crash is the result of an in-game password change. You could try editing the minetest.register_on_auth_fail() callback as follows in init.lua:

Code: Select all

if minetest.register_on_auth_fail then
	minetest.register_on_auth_fail( function ( player_name, player_ip )
	        -- password change hack till network/serverprotocolhandler.cpp is fixed!
                if minetest.get_player_by_name( player_name ) then return end
        
		auth_db.on_login_failure( player_name, player_ip )
		auth_watchdog.on_failure( convert_ipv4( player_ip ) )
	end )
end
This issue is resolved in the next version of Auth Redux which uses the new on_authplayer() callback instead. I'm not sure what the cause of the crash in Auth Redux Lite is. I'll have to investigate further and get back to you on that one.

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by bosapara » Post

sorcerykid wrote:
Fri Aug 07, 2020 19:02
Which build of Minetest are you using?

There's a chance that the first crash is the result of an in-game password change. You could try editing the minetest.register_on_auth_fail() callback as follows in init.lua:
Used 5.0, specially tested in 0.4.17.1, the same.
Crash can't reproduce, but discover that players can't change their password via ESC menu.

In 5.0 it gives: "Password change failed or unavailable."
In 0.4.17.1 gives nothing, password can't be changed.

Changes of 'minetest.register_on_auth_fail()' can't help.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

After glancing at the code, I see that there is a missing function in Auth Redux Lite. That would explain the crash. I'm not sure how that wasn't caught during testing, or why nobody has reported it up until now. Thankfully that is a very simple fix.

A new version of Auth Redux Lite will be published tomorrow which includes support for the new on_authplayer() callback. I'm still investigating the password-change bug in the main branch of Auth Redux.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

Version 2.7 Released (Auth Redux Lite)

A new version of Auth Redux Lite is ready for download. I made quite a few improvements under the hood.

Most importantly, the crashes due to the missing select_record() method have been resolved. Also, I fixed the missing return value in set_password(), which was to blame for password changes being rejected (they were being saved, albeit reported as failed).

In addition, I implemented the new on_authplayer() callback as promised. This means that last-login time is now accurately recorded in the database as the time of authentication. Session length is still calculated as before (based on joining and leaving the game). I'm very excited about this change, as I'd been wanting to separate these two metrics for years!

Most of the other changes entailed localizing some helper functions, removing an unused compatibility wrapper, and correcting typos in a few error messages.

Important Note: Auth Redux Lite is now compatible only with Minetest 5.3 and above. I will be making a patch for older versions of the engine which lack support for the new callback, much as I did a couple years ago.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

In 5.0 it gives: "Password change failed or unavailable."
For users of Auth Redux, it looks like the password change errors can be overcome by patching the set_password function in init.lua as follows:

Code: Select all

	set_password = function ( username, password )
		if auth_db.set_password( username, password ) then
			minetest.log( "info", "Reset password of player '" .. username .. "' in authentication database" )
                        return true
		end
                return false
	end,
Note that there's still a glitch when using the "Set Password" option in the ESC menu more than once that results in the error "tried to change their password, but supplied wrong (SRP) password for authentication". This seems to be an engine-related bug, as the builtin authentication handler exhibits the same problem. But for single password changes, it should work as expected.

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by bosapara » Post

Code: Select all

	set_password = function ( username, password )
		if auth_db.set_password( username, password ) then
			minetest.log( "info", "Reset password of player '" .. username .. "' in authentication database" )
                        return true
		end
                return false
	end,
Сonfirm, it works with that changes.

One of quick solution for password change can be adding a command, helps to bypass the password change restriction:

Code: Select all

minetest.register_chatcommand("pass", {
	params = "",
	description = "Change password",
	privs = {interact=true},
	func = function(name, param)

		local form = "size[5,2]" ..
			"textarea[1.3,0.1;2.8,1.5;pwd;" .. "Enter new password:" .. ";]" ..
			"button_exit[1.01,1.4;2.8,1;;" .. "Change Password" .. "]"

		minetest.show_formspec(name, "password_change", form)
	
	end,
})

minetest.register_on_player_receive_fields(function(player, formname, fields)
	if formname=="password_change" then

		local name = player:get_player_name()
		if not name then return end

		if not fields.pwd or fields.pwd == "" then
			core.chat_send_player(name, minetest.colorize("#FF0000", "You cannot set an empty password!"))
			return
		end

		local password = core.get_password_hash(name, fields.pwd)
		minetest.set_player_password(name, password)
		core.chat_send_player(name, minetest.colorize("#7CFC00", "Password changed! Your new password: "..fields.pwd))

	end
end)

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

I would strongly advise against this. The plaintext password of the user will be exposed while in transit over the network, so it can be intercepted by a hacker. Also the register_on_player_receive_fields callback is inherently very insecure. Any mod can examine and manipulate the form data without permission. This is why I created ActiveFormspecs.

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by bosapara » Post

In any way old mobile players can't change their password via ESC menu, so need some special tweaks.

This should be more safe:

Code: Select all

local pass = {}
minetest.register_on_leaveplayer(function(player)
	local name = player:get_player_name()
	pass[name] = nil
end)

minetest.register_chatcommand("pass", {
	params = "",
	description = "Change password",
	privs = {interact=true},
	func = function(name, param)

		local form = "size[5,2]" ..
			"textarea[1.3,0.1;2.8,1.5;pwd;" .. "Enter new password:" .. ";]" ..
			"button_exit[1.01,1.4;2.8,1;;" .. "Change Password" .. "]"

		pass[name] = os.time()..os.clock();

		minetest.show_formspec(name, "password_change", form)
		
	
	end,
})

minetest.register_on_player_receive_fields(function(player, formname, fields)
	if formname ~="password_change" then
	return
	end

	local name = player:get_player_name()
	if not name then return end

	if not pass[name] then return end

	if not fields.pwd or fields.pwd == "" or fields.quit == "true" then
		core.chat_send_player(name, minetest.colorize("#FF0000", "You cannot set an empty password!"))
		pass[name] = nil
		return
	end

	local password = core.get_password_hash(name, fields.pwd)
	minetest.set_player_password(name, password)
	core.chat_send_player(name, minetest.colorize("#7CFC00", "Password changed! Your new password: "..fields.pwd))

	pass[name] = nil

end)
Sorry for offtop, but command can be useful.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

In any way old mobile players can't change their password via ESC menu, so need some special tweaks.
When you say "old mobile players" which client version are you referring to? If the issue has been fixed as of Minetest 5.3, then I think the ideal solution would be for those players to upgrade rather than to provide an insecure workaround.

User avatar
bosapara
Member
Posts: 637
Joined: Fri Apr 07, 2017 08:49

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by bosapara » Post

sorcerykid wrote:
Sun Aug 23, 2020 15:38
When you say "old mobile players" which client version are you referring to?
Players who using 0.4 version of client

Mineminer
Member
Posts: 325
Joined: Mon Mar 05, 2018 04:05

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by Mineminer » Post

bosapara wrote:
Sun Aug 23, 2020 16:40
sorcerykid wrote:
Sun Aug 23, 2020 15:38
When you say "old mobile players" which client version are you referring to?
Players who using 0.4 version of client

As they express, they are not going to support a client that is frankly years behind. Nobody in their right minds would be supporting this version. 5.3 is consider current and what you should be using now of days.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

I just reported the password-change bug on GitHub, since it's clearly engine related. Thankfully, it shouldn't cause much difficulty under normal circumstances. And the workaround is also simple enough.

Cannot change password via ESC menu after using /setpassword command

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

Four Methods of Whitelisting Players

There may be situations where you want to restrict access only to pre-approved players on your server. Thankfully a variety of whitelisting techniques are possible with Auth Redux, all of which are quite straightforward:

Option 1: Just add the authentication ruleset below to the greenlist.txt file.

Code: Select all

try "You are not permitted to join this server. Please contact $owner if you believe this to be an error."
when $name eq $owner pass
until $name in @whitelist.txt fail
Then put a list of player names (one per line) into the file filters/whitelist.txt. You can edit the list while the server is online.

Option 2: If you would prefer to whitelist by IP address rather than player name, you can do that too! Just change the last rule:

Code: Select all

until ip($addr) in @whitelist.txt fail
Option 3: If you simply want to block new players from joining your server, but continue to allow existing players, use this rule instead:

Code: Select all

when $is_new eq $true fail
Option 4: It might be easiest to simply register a new privilege such as "login". Then grant that privilege only to players that are allowed access (this assumes they already have an account on your server, of course). With this ruleset, you don't have to maintain a separate whitelist at all, just use the builtin /grant and /revoke commands!

Code: Select all

try "Sorry, your privileges are insufficient to join this server."
until "login" in $privs_list fail
Hope this helps!

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

I've just published Auth Redux Lite on the ContendDB, and created a standalone repository on BitBucket.

https://content.minetest.net/packages/s ... h_rx_lite/

The awk conversion script and a README.txt with migration instructions are both bundled in the package.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] Auth Redux v2.14 (Authentication Handler) [auth_rx]

by sorcerykid » Post

Here is the auth ruleset that I am currently using on the JT2 server. I find that it covers most general purpose needs.
  • denies anyone from joining with a deceptive name (admin, owner, staff, etc.)
  • denies anyone from joining as the server operator from a foreign IP address
  • blocks anyone that is repeatedly logging into the server (20 second timeout)
  • blocks anyone that failed to login multiple times in a row (60 second timeout)
  • blocks anyone from creating an account after a failed login (5 minute timeout)
  • denies anyone from creating an account when the server is over 50% capacity
  • denies any non-moderators from joining when the server is over 90% capacity

Code: Select all

#################################################################
#
# deny players with a reserved or restricted name
#
#################################################################

try "You do not have permission to join this server."

fail any
if $name in @blacklist.txt
if lc($name) is /*guest*/
if lc($name) is /*admin*/
continue

fail all
if $name in ("sorcerykid","Nemo","publicworks","citymanager","abba","justtest")
unless $addr is /127.?.?.?/a
continue

#################################################################
#
# deny players that have been inactive for one year
#
#################################################################

try "Sorry, this account has been disabled for inactivity."

fail all
if $is_new eq $false
if age($newlogin) gt 1y
continue

#################################################################
#
# deny new players when the server is nearing capacity
#
#################################################################

fail all
if $cur_users gt mul(0.5,$max_users)
unless $is_new eq $false
continue

fail all
if $cur_users gt mul(0.9,$max_users)
unless "basic_privs" in $privs_list
continue

#################################################################
#
# block new players after a recent failed login
#
#################################################################

try "You cannot create an account right now. Please try later."
fail all
if $is_new eq $true
if $ip_failures gt 0
unless age($ip_prelogin) gt 5m
continue

#################################################################
#
# block players that are spam-logging the server
#
#################################################################

try "This account is temporarily locked. Please try later."

fail all
if $is_new eq $false
if age($newlogin) lt 20s
continue

#################################################################
#
# block players after two or more failed logins
#
#################################################################

try "This account is temporarily locked. Please try later."

fail all
if $ip_attempts gt 0
if $ip_failures gte 2
if age($ip_newcheck) lt 60s
continue

pass now

Post Reply

Who is online

Users browsing this forum: No registered users and 15 guests