Integration with Ely.by about polymc HOT 11 OPEN

The "hassle" of finding the required "values"? The only value you need to input aside from the actual login credentials is the URL (ely.by) and it literally is shown as the example for authlib injector accounts in the PolyMC UI, it's in the placeholder text of the input.

from polymc.

I guess it makes sense to implement if there's no other way to support 2FA though

from polymc.

@erickskrauch I think that we will stick with the open source authlib-injector, since I'm not sure that I feel comfortable having it fetch an obfuscated closed source jar for this. If it's not possible with authlib-injector then I think I will not implement the feature.

from polymc.

The "hassle" of finding the required "values"? The only value you need to input aside from the actual login credentials is the URL (ely.by) and it literally is shown as the example for authlib injector accounts in the PolyMC UI, it's in the placeholder text of the input.

My bad. I didn't check the placeholder text. I'm even flattered that my project is offered as an example 😊

I think that we will stick with the open source authlib-injector, since I'm not sure that I feel comfortable having it fetch an obfuscated closed source jar for this. If it's not possible with authlib-injector then I think I will not implement the feature.

Our Authlib modification also implements handling of the ely property (you can see it in the response here), which allows us to correctly handle texture overwrites from mods like SkinsRestorer.

But in this case the issue of openness of the implementation is much more important. Unfortunately, we cannot publicly share source code and release builds of our Authlib. We would like to (since most of the Ely.by is OpenSource), but it violates Mojang's rights.

So you'll either have to trust that we're the good guys and don't do more than is necessary to support skins, or just use authlib-injector :) Generally, I don't see a problem with using the version from the authlib-injector. Especially since the cache is also implemented there.

from polymc.

The "hassle" of finding the required "values"? The only value you need to input aside from the actual login credentials is the URL (ely.by) and it literally is shown as the example for authlib injector accounts in the PolyMC UI, it's in the placeholder text of the input.

My bad. I didn't check the placeholder text. I'm even flattered that my project is offered as an example 😊

I think that we will stick with the open source authlib-injector, since I'm not sure that I feel comfortable having it fetch an obfuscated closed source jar for this. If it's not possible with authlib-injector then I think I will not implement the feature.

Our Authlib modification also implements handling of the ely property (you can see it in the response here), which allows us to correctly handle texture overwrites from mods like SkinsRestorer.

But in this case the issue of openness of the implementation is much more important. Unfortunately, we cannot publicly share source code and release builds of our Authlib. We would like to (since most of the Ely.by is OpenSource), but it violates Mojang's rights.

So you'll either have to trust that we're the good guys and don't do more than is necessary to support skins, or just use authlib-injector :) Generally, I don't see a problem with using the version from the authlib-injector. Especially since the cache is also implemented there.

You are already violating the authlib-injector license for withholding your modified versions source while distributing it. There also isn't any need to use your version since 2FA is prob a very useless feature when it comes to minecraft accounts, on top of the fact modifying a skin via the launcher is much worse than just using the site, unless "To make it easier for players to use skins from Ely.by" means just uploading or changing skins, then there is no need, else if you mean allowing skins to work in general, authlib-injector already fully supports your skin system, and can see other ely.by user's skins.

So tl;dr: 2FA is useless, we don't want to get involved with fork of something that is violating AGPLv3, and skins are already fine, we don't really need uploading via the launcher

didn't mean to close

from polymc.

There also isn't any need to use your version since 2FA is prob a very useless feature when it comes to minecraft accounts, on top of the fact modifying a skin via the launcher is much worse than just using the site, unless "To make it easier for players to use skins from Ely.by" means just uploading or changing skins, then there is no need, else if you mean allowing skins to work in general, authlib-injector already fully supports your skin system, and can see other ely.by user's skins.

@Kaydax 2fa isn't useless. If people can't sign in because they have 2fa enabled that isn't good imo, if ely.by is doing is a good thing by offering 2fa then it might be worth it to support this login method, esp. if authlib-injector is still okay in place of the custom authlib.

from polymc.

2FA is useless

You are missing the point that Ely.by is not only a skins system but also an authorization server for game servers. Server owners can use our accounts with online-mode=true for fully secure authorization of players on their servers. Given that many servers offer resources to their players for donation, players may be especially concerned about the security of their accounts. That's why we have introduced two-factor authentication.

we don't want to get involved with fork of something that is violating AGPLv3

I don't have much to say here, we are doing what we can to accomplish the goal of giving players alternative services for Minecraft. We don't earn anything from it.

skins are already fine, we don't really need uploading via the launcher

I'm not suggesting you add such functionality. We don't have it at all. I only want a secure method of authorization for our users without passing the password through your launcher. This is what the OAuth 2.0 protocol is designed to accomplish. Also, authorization through our site allows us to implement other authorization methods without having to update your implementation.

from polymc.

@erickskrauch if someone has 2FA enabled on his account, does that make it impossible to login via the authlib-injector compatible API offered by ely.by with email and password? If this is the case, I think it makes sense for us to implement the OAuth login.

from polymc.

Also I don't get what you mean by this:

Our Authlib modification also implements handling of the ely property (you can see it in the response here), which allows us to correctly handle texture overwrites from mods like SkinsRestorer.

authlib-injector has 0 issues displaying mojang auth skins as well as SkinsRestorer skins. I even been testing all of this as I have been writing my own ely.by skin restorer plugin for server software such as velocity, which you can find here.

You are missing the point that Ely.by is not only a skins system but also an authorization server for game servers. Server owners can use our accounts with online-mode=true for fully secure authorization of players on their servers. Given that many servers offer resources to their players for donation, players may be especially concerned about the security of their accounts. That's why we have introduced two-factor authentication.

I mean 2FA is useless because it stops nothing with token stealing, which allows for people to instantly auth as any account given they have the session token. I've talked about this before with how Mojang does 2fa, and with session token grabbing, you can just ban anyone you grab the token of.

I don't have much to say here, we are doing what we can to accomplish the goal of giving players alternative services for Minecraft. We don't earn anything from it.

I forgot to ask if it was a Mojang authlib modifcation or an authlib-injector modification. If it is a Mojang one, then that's understandable, but if its an authlib-injector modification then my point still stands.

from polymc.

@LennyMcLennington

if someone has 2FA enabled on his account, does that make it impossible to login via the authlib-injector compatible API offered by ely.by with email and password?

There is one way. I remembered that I once did a workaround to still allow the TOTP to be passed along with the password within the existing protocol. Take a look here. This solution will work for 2FA authentication, but if we add other methods of authentication in the future or log in via social networks without setting a password, there is no way users will be able to log in to their accounts. So yes, there is a possibility, but OAuth 2.0 is more secure and more flexible in terms of further extending our authentication service.

@Kaydax

Also I don't get what you mean by this:

I'll be honest: I don't remember exactly. We did it once and it solved some problem. It works and we don't touch it 😅

As far as I can remember, SkinsRestorer sends to the player textures for their username when they log on the game server. But we want to give priority to Ely.by textures, so if the received textures don't contain ely field, we request textures from the Ely.by server. However, we have a server skins system plugin that works similarly to SkinsRestorer. It immediately sends our textures to the player and there is already an ely field there, which avoids sending an additional request to the Ely.by server.

I could be wrong about how it works today, but from the code I can read, it was made for this purpose.

I even been testing all of this as I have been writing my own ely.by skin restorer plugin for server software such as velocity, which you can find here.

You did WHAAAAAAT?

2FA is useless because it stops nothing with token stealing, which allows for people to instantly auth as any account given they have the session token

Yes, you're right. But to steal the session token, you need to get onto the user's computer. And once you're on the user's computer, there's nothing to keep you safe. However, 2FA is a good defense for users who use the same password and whose data has been leaked to the Internet by one of the many wonderful companies.

I forgot to ask if it was a Mojang authlib modifcation or an authlib-injector modification. If it is a Mojang one, then that's understandable, but if its an authlib-injector modification then my point still stands.

We use Mojang's Authlib. We decompiled it a long time ago and have been tweaking it ever since, making compatibility patches with new revisions of the original Authlib.

from polymc.

Can we get in touch on some messenger?

I use discord and matrix, else email. My email is on my github if you need to get in touch

from polymc.