{"id":28478302,"url":"https://github.com/tuxcoding/flexiblelogin","last_synced_at":"2025-07-03T07:32:18.980Z","repository":{"id":35905564,"uuid":"40192482","full_name":"TuxCoding/FlexibleLogin","owner":"TuxCoding","description":"A Sponge minecraft server plugin for second factor authentication","archived":false,"fork":false,"pushed_at":"2021-01-20T08:43:12.000Z","size":803,"stargazers_count":86,"open_issues_count":29,"forks_count":22,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-07-02T09:03:25.181Z","etag":null,"topics":["2fa","auth","authentication","cracked","minecraft","mod","plugin","security","sponge"],"latest_commit_sha":null,"homepage":"https://forums.spongepowered.org/t/8872","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TuxCoding.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-08-04T15:20:12.000Z","updated_at":"2025-03-08T07:36:11.000Z","dependencies_parsed_at":"2022-08-26T17:41:34.358Z","dependency_job_id":null,"html_url":"https://github.com/TuxCoding/FlexibleLogin","commit_stats":null,"previous_names":["tuxcoding/flexiblelogin"],"tags_count":63,"template":false,"template_full_name":null,"purl":"pkg:github/TuxCoding/FlexibleLogin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TuxCoding%2FFlexibleLogin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TuxCoding%2FFlexibleLogin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TuxCoding%2FFlexibleLogin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TuxCoding%2FFlexibleLogin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TuxCoding","download_url":"https://codeload.github.com/TuxCoding/FlexibleLogin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TuxCoding%2FFlexibleLogin/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263282724,"owners_count":23442231,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","auth","authentication","cracked","minecraft","mod","plugin","security","sponge"],"created_at":"2025-06-07T17:31:00.113Z","updated_at":"2025-07-03T07:32:18.971Z","avatar_url":"https://github.com/TuxCoding.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FlexibleLogin\n\n## Security advisories:\n\nThese contains a list of security fixes for transparency. This should get you informed quickly and deploy patched \nversions promptly.\n\n|ID| Severity | Affected | Patched | Impact + Relevance | References\n|---|---|---|---|---|---|\n|1|Moderate| FlexibleLogin between 0.18 and 0.18.1 | SpongeForge \u003e RC4005 or in FlexibleLogin 0.18.1 is a workaround | Exploit for inventory duplication if not logged in (ex: survival servers) | [Introduced](https://github.com/SpongePowered/SpongeCommon/commit/562ddf9fa3b19e9146b34c7a870c9cd9b6c0452b), [Fixed Sponge](https://github.com/SpongePowered/SpongeForge/issues/3097), [Workaround](0a08a0ffcfea8af536093f6762ff73cacc055dc8) \n|2|High| FlexibleLogin between 0.16 and 0.16.5 | FlexibleLogin 0.16.5 | Change password command permission check (If command usage is allowed) | [Introduced](43f74a466e73b0f2cfa522b5bfd68480010a7934), [Fixed](172422c383a22f7feeabbe6aef487adbd9f8dbd9) |\n\nDetails:\n1. SpongeCommon introduced a bug for not capturing the inventory changes on crafting with number press usage. This \nallows inventory item duplication in combination with FlexibleLogin if the user is not logged in. Sponge fixed in the \nmentioned above build and commit. So you should update your server version. If that's not possible, FlexibleLogin 0.18.1\nincludes a workaround. Alternative you could remove the inventory until the player logs in.\n2. FlexibleLogin had an incorrect permission check for using the change password command. This allowed unauthorized\nplayers to use the command. There is no known usage that this was actively used.\n\nIf you have any questions or comments about this advisories, please:\n* Open a issue\n* Send a private message on the Sponge Forums\n\n## Description\n\nA Sponge Minecraft server plugin for second authentication. It has a built-in\nTOTP support.\n\nDo you want to let your players protect their account (from hackers/login stealer) and keep playing \nwhile the session server is down. You can use this little plugin. You can protect your account with \na password you choose or with a time based password created from a secret key, generated just for you.\n\n## Requirements\n\n* Sponge 7.1+\n* Java 8+\n\n## Language\n\nThis plugin has configurable language files. By default it only ships the english version of it, but there are community\ndriven templates on the wiki page: https://github.com/games647/FlexibleLogin/wiki\n\n## Commands\n\n User commands:\n /reg /register \u003cpassword\u003e \u003cpassword\u003e - Registers using a specific password\n /register - Generates your secret code for TOTP\n /changepw /cp /changepassword \u003cpassword\u003e \u003cpassword\u003e - Changes your current password\n /log /l /login \u003cpassword|code\u003e - Login using your password or time based code\n /logout - Logs you out\n /mail /setemail - Sets your mail address\n /forgot /forgotpassword - Sends a recovery mail to the mail address\n /unregister \u003cuuid|name\u003e - delete an account\n\n Admin commands: (you can use /flexiblelogin as an alias) \n /fl \u003creload|rl\u003e - reloads the config\n /fl forcelogin \u003cname\u003e - Force login the user\n /fl \u003caccounts|acc\u003e \u003cname|ip\u003e - Get list of user accounts\n /fl \u003cunregister|unreg\u003e \u003cname|uuid|--all\u003e - Deletes the account of a user or all using the -a flag\n /fl \u003cregister|reg\u003e \u003cname|uuid\u003e \u003cpass\u003e - Register the user with a specific password\n /fl \u003cresetpw|resetpassword\u003e \u003cname\u003e - Sets a new temp password for a new user\n \n## Permissions\n\n flexiblelogin.admin - Permission to delete accocunts\n flexiblelogin.command.login - Use the /login command\n flexiblelogin.command.logout - Use the /logout command\n flexiblelogin.command.changepw - Use the /changepassword command\n flexiblelogin.command.register - Use the /register command\n flexiblelogin.command.mail - Use the /setemail command\n flexiblelogin.command.forgot - Use the /forgot command\n flexiblelogin.no_auto_login - Players with this won't be auto logged in by the ip auto login feature\n flexiblelogin.bypass - Users who have this permission can skip authentication\n\n## Config\n\n # Should unregistered player be able to join the server?\n allowUnregistered=true\n # Do you allow your users to skip authentication with the bypass permission\n bypassPermission=false\n # Should the player name always be case sensitive equal to the time the player registered?\n caseSensitiveNameCheck=true\n # Should only the specified commands be protected from unauthorized access\n commandOnlyProtection=false\n # Email configuration for password recovery\n emailConfiguration {\n # Username for the account you want to the mail from\n account=\"\"\n # Email contents. You can use HTML here\n contentTemplate {\n arguments {}\n closeArg=\"}\"\n content {\n text=\"New password for Builder{name=player, optional=true} on Minecraft server Builder{name=server, optional=true}: Builder{name=, optional=true}\"\n }\n openArg=\"{\"\n options {\n closeArg=\"}\"\n openArg=\"{\"\n }\n }\n # Is password recovery using an mail allowed\n enabled=false\n # Mail server\n host=\"smtp.gmail.com\"\n # Password for the account you want to the mail from\n password=\"\"\n # SMTP Port for outgoing messages\n port=465\n # Displays as sender in the mail client\n senderName=\"Your Minecraft server name\"\n # Email subject/title\n subjectTemplate {\n arguments {}\n closeArg=\"}\"\n content {\n text=\"Your new Password\"\n }\n openArg=\"{\"\n options {\n closeArg=\"}\"\n openArg=\"{\"\n }\n }\n }\n # Algorithms for hashing user passwords. You can also choose totp\n hashAlgo=bcrypt\n # Should the plugin login users automatically if it's the same account from the same IP\n ipAutoLogin=false\n # Custom command that should run after the user tried to make too many attempts\n lockCommand=\"\"\n # How many login attempts are allowed until everything is blocked\n maxAttempts=3\n # How many accounts are allowed per ip-address. Use 0 to disable it\n maxIpReg=0\n # Interval where the please login will be printed to the user\n messageInterval=2\n # The user should use a strong password\n minPasswordLength=4\n # Should this plugin check for player permissions\n playerPermissions=false\n # Experimental feature to protect permissions for players who aren't logged in yet\n protectPermissions=false\n # If command only protection is enabled, these commands are protected. If the list is empty all commands are protected\n protectedCommands=[\n op,\n pex\n ]\n # Teleport the player to a safe location based on the last login coordinates\n safeLocation=false\n # Database configuration\n sqlConfiguration {\n # Database name\n database=flexiblelogin\n # Password in order to login\n password=\"\"\n # Path where the database is located. This can be a file path (h2/SQLite) or an IP/Domain (MySQL/MariaDB)\n path=\"%DIR%\"\n # Port for example MySQL connections\n port=3306\n # SQL server type. You can choose between h2, SQLite and MySQL/MariaDB\n type=H2\n # It's strongly recommended to enable SSL and setup a SSL certificate if the MySQL/MariaDB server isn't running on the same machine\n useSSL=false\n # Username to login the database system\n username=\"\"\n }\n # Should the plugin don't register alias /l (used by some chat plugins) for /login command \n supportSomeChatPlugins=false\n teleportConfig {\n coordX=0\n coordY=0\n coordZ=0\n # Should the plugin use the default spawn from the world you specify below\n defaultSpawn=false\n enabled=false\n # Spawn world or let it empty to use the default world specified in the server properties\n worldName=\"\"\n }\n # Number of seconds a player has time to login or will be kicked.-1 deactivates this features\n timeoutLogin=60\n # Should the plugin save the login status to the database\n updateLoginStatus=false\n # Regular expression for verifying validate player names. Default is a-zA-Z with 2-16 length\n validNames=\"^\\\\w{2,16}$\"\n # How seconds the user should wait after the user tried to make too many attempts\n waitTime=300\n\n## Downloads\n\nhttps://github.com/games647/FlexibleLogin/releases\n\n### Development builds\n\nDevelopment builds of this project can be acquired at the provided CI (continuous integration) server. It contains the\nlatest changes from the Source-Code in preparation for the following release. This means they could contain new\nfeatures, bug fixes and other changes since the last release.\n\nNevertheless builds are only tested using a small set of automated and a few manual tests. Therefore they **could**\ncontain new bugs and are likely to be less stable than released versions.\n\nhttps://ci.codemc.org/job/Games647/job/FlexibleLogin/changes\n\n## Screenshots:\n\n### TOTP Key generation (/register)\n![Minecraft image picture](https://i.imgur.com/K2GDqfW.png?1)\n\n### TOTP App\n![Authenticator](https://i.imgur.com/HWNR8SK.png)\n\nYou can see there a time generated code which can be used for the login process. `/login \u003ccode\u003e`\nAdditionally it display your user account name and the server ip.\n\n## Apps (Open-Source only)\n\nIOS\n* Authenticator [AppStore](https://itunes.apple.com/us/app/authenticator/id766157276)\n* FreeOTP [AppStore](https://itunes.apple.com/us/app/freeotp-authenticator/id872559395)\n\nAndroid\n* andOTP [F-Droid](https://f-droid.org/en/packages/org.shadowice.flocke.andotp/)\n [PlayStore](https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp)\n* Yubico Authenticator [F-Droid](https://play.google.com/store/apps/details?id=com.yubico.yubioath)\n [PlayStore](https://play.google.com/store/apps/details?id=com.yubico.yubioath)\n * Requires YubiKey hardware token\n* OnlyKey U2F [PlayStore](https://play.google.com/store/apps/details?id=to.crp.android.onlykeyu2f)\n * Requires OnlyKey hardware token\n\nDesktop (Linux, Mac, Windows):\n* YubiKey Authenticator [Download](https://www.yubico.com/products/services-software/download/yubico-authenticator/)\n * Requires YubiKey hardware token\n* NitroKey App [Download](https://www.nitrokey.com/download)\n * Requires Nitrokey hardware token\n* OnlyKey App \n[Chromium Store](https://chrome.google.com/webstore/detail/onlykey-configuration/adafilbceehejjehoccladhbkgbjmica)\n * Requires OnlyKey hardware token\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftuxcoding%2Fflexiblelogin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftuxcoding%2Fflexiblelogin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftuxcoding%2Fflexiblelogin/lists"}