Comments (11)
The "hassle" of finding the required "values"? The only value you need to input aside from the actual login credentials is the URL (ely.by) and it literally is shown as the example for authlib injector accounts in the PolyMC UI, it's in the placeholder text of the input.
from polymc.
I guess it makes sense to implement if there's no other way to support 2FA though
from polymc.
@erickskrauch I think that we will stick with the open source authlib-injector, since I'm not sure that I feel comfortable having it fetch an obfuscated closed source jar for this. If it's not possible with authlib-injector then I think I will not implement the feature.
from polymc.
The "hassle" of finding the required "values"? The only value you need to input aside from the actual login credentials is the URL (ely.by) and it literally is shown as the example for authlib injector accounts in the PolyMC UI, it's in the placeholder text of the input.
My bad. I didn't check the placeholder text. I'm even flattered that my project is offered as an example 😊
I think that we will stick with the open source authlib-injector, since I'm not sure that I feel comfortable having it fetch an obfuscated closed source jar for this. If it's not possible with authlib-injector then I think I will not implement the feature.
Our Authlib modification also implements handling of the ely
property (you can see it in the response here), which allows us to correctly handle texture overwrites from mods like SkinsRestorer.
But in this case the issue of openness of the implementation is much more important. Unfortunately, we cannot publicly share source code and release builds of our Authlib. We would like to (since most of the Ely.by is OpenSource), but it violates Mojang's rights.
So you'll either have to trust that we're the good guys and don't do more than is necessary to support skins, or just use authlib-injector :) Generally, I don't see a problem with using the version from the authlib-injector. Especially since the cache is also implemented there.
from polymc.
The "hassle" of finding the required "values"? The only value you need to input aside from the actual login credentials is the URL (ely.by) and it literally is shown as the example for authlib injector accounts in the PolyMC UI, it's in the placeholder text of the input.
My bad. I didn't check the placeholder text. I'm even flattered that my project is offered as an example 😊
I think that we will stick with the open source authlib-injector, since I'm not sure that I feel comfortable having it fetch an obfuscated closed source jar for this. If it's not possible with authlib-injector then I think I will not implement the feature.
Our Authlib modification also implements handling of the
ely
property (you can see it in the response here), which allows us to correctly handle texture overwrites from mods like SkinsRestorer.But in this case the issue of openness of the implementation is much more important. Unfortunately, we cannot publicly share source code and release builds of our Authlib. We would like to (since most of the Ely.by is OpenSource), but it violates Mojang's rights.
So you'll either have to trust that we're the good guys and don't do more than is necessary to support skins, or just use authlib-injector :) Generally, I don't see a problem with using the version from the authlib-injector. Especially since the cache is also implemented there.
You are already violating the authlib-injector license for withholding your modified versions source while distributing it. There also isn't any need to use your version since 2FA is prob a very useless feature when it comes to minecraft accounts, on top of the fact modifying a skin via the launcher is much worse than just using the site, unless "To make it easier for players to use skins from Ely.by" means just uploading or changing skins, then there is no need, else if you mean allowing skins to work in general, authlib-injector already fully supports your skin system, and can see other ely.by user's skins.
So tl;dr: 2FA is useless, we don't want to get involved with fork of something that is violating AGPLv3, and skins are already fine, we don't really need uploading via the launcher
didn't mean to close
from polymc.
There also isn't any need to use your version since 2FA is prob a very useless feature when it comes to minecraft accounts, on top of the fact modifying a skin via the launcher is much worse than just using the site, unless "To make it easier for players to use skins from Ely.by" means just uploading or changing skins, then there is no need, else if you mean allowing skins to work in general, authlib-injector already fully supports your skin system, and can see other ely.by user's skins.
@Kaydax 2fa isn't useless. If people can't sign in because they have 2fa enabled that isn't good imo, if ely.by is doing is a good thing by offering 2fa then it might be worth it to support this login method, esp. if authlib-injector is still okay in place of the custom authlib.
from polymc.
2FA is useless
You are missing the point that Ely.by is not only a skins system but also an authorization server for game servers. Server owners can use our accounts with online-mode=true
for fully secure authorization of players on their servers. Given that many servers offer resources to their players for donation, players may be especially concerned about the security of their accounts. That's why we have introduced two-factor authentication.
we don't want to get involved with fork of something that is violating AGPLv3
I don't have much to say here, we are doing what we can to accomplish the goal of giving players alternative services for Minecraft. We don't earn anything from it.
skins are already fine, we don't really need uploading via the launcher
I'm not suggesting you add such functionality. We don't have it at all. I only want a secure method of authorization for our users without passing the password through your launcher. This is what the OAuth 2.0 protocol is designed to accomplish. Also, authorization through our site allows us to implement other authorization methods without having to update your implementation.
from polymc.
@erickskrauch if someone has 2FA enabled on his account, does that make it impossible to login via the authlib-injector compatible API offered by ely.by with email and password? If this is the case, I think it makes sense for us to implement the OAuth login.
from polymc.
Also I don't get what you mean by this:
Our Authlib modification also implements handling of the ely property (you can see it in the response here), which allows us to correctly handle texture overwrites from mods like SkinsRestorer.
authlib-injector has 0 issues displaying mojang auth skins as well as SkinsRestorer skins. I even been testing all of this as I have been writing my own ely.by skin restorer plugin for server software such as velocity, which you can find here.
You are missing the point that Ely.by is not only a skins system but also an authorization server for game servers. Server owners can use our accounts with online-mode=true for fully secure authorization of players on their servers. Given that many servers offer resources to their players for donation, players may be especially concerned about the security of their accounts. That's why we have introduced two-factor authentication.
I mean 2FA is useless because it stops nothing with token stealing, which allows for people to instantly auth as any account given they have the session token. I've talked about this before with how Mojang does 2fa, and with session token grabbing, you can just ban anyone you grab the token of.
I don't have much to say here, we are doing what we can to accomplish the goal of giving players alternative services for Minecraft. We don't earn anything from it.
I forgot to ask if it was a Mojang authlib modifcation or an authlib-injector modification. If it is a Mojang one, then that's understandable, but if its an authlib-injector modification then my point still stands.
from polymc.
if someone has 2FA enabled on his account, does that make it impossible to login via the authlib-injector compatible API offered by ely.by with email and password?
There is one way. I remembered that I once did a workaround to still allow the TOTP to be passed along with the password within the existing protocol. Take a look here. This solution will work for 2FA authentication, but if we add other methods of authentication in the future or log in via social networks without setting a password, there is no way users will be able to log in to their accounts. So yes, there is a possibility, but OAuth 2.0 is more secure and more flexible in terms of further extending our authentication service.
Also I don't get what you mean by this:
I'll be honest: I don't remember exactly. We did it once and it solved some problem. It works and we don't touch it 😅
As far as I can remember, SkinsRestorer sends to the player textures for their username when they log on the game server. But we want to give priority to Ely.by textures, so if the received textures don't contain ely
field, we request textures from the Ely.by server. However, we have a server skins system plugin that works similarly to SkinsRestorer. It immediately sends our textures to the player and there is already an ely
field there, which avoids sending an additional request to the Ely.by server.
I could be wrong about how it works today, but from the code I can read, it was made for this purpose.
I even been testing all of this as I have been writing my own ely.by skin restorer plugin for server software such as velocity, which you can find here.
You did WHAAAAAAT?
Off topic
At first, I was very surprised at the fact that this exists.
Then I saw this sentence:
Even after trying to emaile them twice, they not only ignored said emails, but updated their plugin to be obfuscated, making it hard to vet the code.
I'm very sorry that your letters did not reach me. It is a terrible loss that we did not meet earlier. I apologize for losing your letters. I'm very ashamed.
I'm also upset by the unpleasant coincidence of obfuscating plugin code. We didn't do it to hide some evil in the implementation. I just wanted the plugin to be small, as I felt that if the plugin was several megabytes in size, it would make users suspicious. This is the only reason why we obfuscated the code. In fact, there is no reason at all to keep the source code of the plugin closed.
Unfortunately, I don't have any more people on my team who want to develop our plugin, so I'll be happy to give way to your implementation and make it recommended. But I would like to have a conversation with you. Can we get in touch on some messenger? Maybe you have Telegram? Text me if that's the case. Or you can email me directly at my email address: [email protected].
2FA is useless because it stops nothing with token stealing, which allows for people to instantly auth as any account given they have the session token
Yes, you're right. But to steal the session token, you need to get onto the user's computer. And once you're on the user's computer, there's nothing to keep you safe. However, 2FA is a good defense for users who use the same password and whose data has been leaked to the Internet by one of the many wonderful companies.
I forgot to ask if it was a Mojang authlib modifcation or an authlib-injector modification. If it is a Mojang one, then that's understandable, but if its an authlib-injector modification then my point still stands.
We use Mojang's Authlib. We decompiled it a long time ago and have been tweaking it ever since, making compatibility patches with new revisions of the original Authlib.
from polymc.
Can we get in touch on some messenger?
I use discord and matrix, else email. My email is on my github if you need to get in touch
from polymc.
Related Issues (20)
- [RFC] Formatting Conventions HOT 2
- make PolyMC support Java 21 HOT 2
- More frequent versioning release HOT 2
- Instance Storage Tab uses hard to read font color on dark theme HOT 1
- [Question] Does the flatpak package also gets updated? HOT 3
- HomeBrew Installation instructions don't work. Not very important as you can still download PolyMC from GitHub HOT 2
- Launch instance failed: This instance is not compatible with Java version 21 HOT 2
- PolyMC doesn't auto-detect sdkman Java installations
- Importing BetterThanWolves causes hang only on PolyMC 6.0 HOT 3
- Add missing linux-arm natives
- polymc aur, make build in parallel HOT 1
- Unable to detect the forge installer! HOT 28
- Add a way to share mods/ressources pack/shader list from a configuration HOT 7
- [Feature Request]: add Amulet Map Editor support beside of MCEdit
- Cannot add "authlib-injector" account HOT 5
- Problems with the game (1.7.10) HOT 2
- Nix Overlay Install falure
- Unable to detect the forge installer HOT 5
- Shaderpacks from CurseForge end up in resourcepacks folder instead of shaderpacks
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from polymc.