Allow correct handling UUIDs on a mixed-mode server about lockettepro HOT 5 CLOSED

I used to think UUID generated by offline servers are using md5("OfflinePlayer:<player name>") automatically. I will look into this case.

I'm currently on vacation though :(

from lockettepro.

I have just done some research regarding your situation, please confirm the following first:

1. You have a mixed-mode server that allows both online-mode players and offline-mode players...
2. ...by using a helper plugin "FastLogin". Similar plugin I can think of could be "AutoIn" etc..
3. FastLogin requires your server to be set in "online-mode: false"
4. Your player with legitimate Mojang login cannot open their locked chests once they changed their name. Players logged in offline are not affected since their name will always stays the same.

There are some issue:

1. If you set your server to "online-mode: false", all UUID generated by the server will be something like "md5("OfflinePlayer:") ". Which means this UUID is non-reversible. If a player have changed their name, it is impossible for them to open their chest again because their chest lock has bound to their old name.
2. "online-mode: false" servers will not attempt to grab the correct UUID for Mojang login players, and it is hard for LockettePro to know which player has logged in via Mojang.

My current proposed solution will be incompatible with all currently owned signs for Mojang login users, as well as probably not able to support all "mixed-mode server" plugins. TBH I don't really think it will worth the effort, but pull requests are welcomed.

from lockettepro.

Confirm:
4. This happened when enable-uuid-support: false is set on LockettePro config.yml. However, if I set this option to true, then only the legitimate player could access their chests.

About issues:
2. It is only true to cracked players. With FastLogin (or AuthIn you mentioned) integrated, legitimate players can still have their online-type UUID associated with even if online-mode: false. At least on my server, all of my legit players has their own legit UUID and all the data are stored in this type of UUID as well with no problems. That also means they can definitely change their name through Mojang without losing any saved data. So that is why I'm guessing you could just read the player's UUIDs directly from Spigot.

I don't know how does LockettePro store UUID or how it verify player's UUID because I'm sucked with Java programming. But if simply read from the Spigot does not work for you, I suggest you to try to generate the offline-UUID manually (through md5 as you said) and compare it again after LockettePro failed to verify the legit one in the first place. It is also a safe way to do because the chance of md5 collision is extremely low. Btw this feature should only be enabled at when enabled-uuid-support: true of course.

In the case of "what if a mixed-mode server decided to use cracked UUID for its own legit players", idk man what's wrong with those servers. If they choose to stick with cracked UUIDs anyway then they should also expect and disallow players change their name as well.

Please tell me if you have any thoughts. I will share my ideas as well.

p.s. Just a reminder: you forgot to fix #30 in the last comments.

from lockettepro.

I just came up with an idea, but I need to verify it first.

For #30, sorry :(

from lockettepro.

Sorry, but this idea will be longer considered.

from lockettepro.