# FastLogin config# Project site: https://www.spigotmc.org/resources/fastlogin

1. # FastLogin config
2. # Project site: https://www.spigotmc.org/resources/fastlogin.14153
3. # Source code: https://github.com/games647/FastLogin
4. #
5. # You can access the newest config here:
6. # https://github.com/games647/FastLogin/blob/main/core/src/main/resources/config.yml
7.  
8. # This a **very** simple anti bot protection. Recommendation is to use a dedicated program to approach this
9. # problem. Low level firewalls like uwf (or iptables direct) are more efficient than a Minecraft plugin. TCP reverse
10. # proxies could also be used and offload some work even to different host.
11. #
12. # The settings wil limit how many connections this plugin will handle. After hitting this limit. FastLogin will
13. # completely ignore incoming connections. Effectively there will be no database requests and network requests.
14. # Therefore, auto logins won't be possible.
15. anti-bot:
16. enabled: true
17. # Image the following like bucket. The following is total amount that is allowed in this bucket, while expire
18. # means how long it takes for every entry to expire.
19. # Total number of connections
20. connections: 600
21. # Amount of minutes after the first connection got inserted will expire and made available
22. expire: 10
23. # Action - Which action should be performed when the bucket is full (too many connections)
24. # Allowed values are: 'ignore' (FastLogin drops handling the player) or 'block' (block this incoming connection)
25. action: 'ignore'
26.  
27. # Request a premium login without forcing the player to type a command
28. #
29. # If you activate autoRegister, this plugin will check/do these points on login:
30. # 1. An existing cracked account shouldn't exist
31. # -> paid accounts cannot steal the existing account of cracked players
32. # - (Already registered players could still use the /premium command to activate premium checks)
33. # 2. Automatically registers an account with a strong random generated password
34. # -> cracked player cannot register an account for the premium player and so cannot the steal the account
35. #
36. # Furthermore the premium player check have to be made based on the player name
37. # This means if a cracked player connects to the server, we request a paid account login from this player
38. # the player just disconnect and sees the message: 'bad login' or 'invalid session'
39. # There is no way to change this message
40. # For more information: https://github.com/games647/FastLogin#why-do-players-have-to-invoke-a-command
41. autoRegister: false
42.  
43. # Should FastLogin respect per IP limit of registrations (e.g. in AuthMe)
44. # Because most auth plugins do their stuff async - FastLogin will still think the player was registered
45. # To work best - you also need to enable auto-register-unknown
46. #
47. # If set to true - FastLogin will always attempt to register the player, even if the limit is exceeded
48. # It is up to the auth plugin to handle the excessive registration
49. # https://github.com/games647/FastLogin/issues/458
50. respectIpLimit: false
51.  
52. # This is extra configuration option to the feature above. If we request a premium authentication from a player who
53. # isn't actual premium but used a premium username, the player will disconnect with the reason "invalid session" or
54. # "bad login".
55. #
56. # If you activate this, we are remembering this player and do not force another premium authentication if the player
57. # tries to join again, so the player could join as cracked player.
58. secondAttemptCracked: false
59.  
60. # New cracked players will be kicked from server. Good if you want switch from offline-mode to online-mode without
61. # losing players!
62. #
63. # Existing cracked and premium players could still join your server. Moreover, you could add player names to an
64. # allow-list.
65. # So that these cracked players could join too, although they are new players.
66. switchMode: false
67.  
68. # If this plugin detected that a player has a premium, it can also set the associated
69. # uuid from that account. So if the player changes the username, they will still have
70. # the same player data (inventory, permissions, ...)
71. #
72. # Warning: This also means that the UUID will be different if the player is connecting
73. # through an offline mode connection. This **could** cause plugin compatibility issues.
74. #
75. # This is an example and doesn't apply for every plugin.
76. # Example: If you want to ban players who aren't online at the moment, the ban plugin will look
77. # after an offline uuid associated to the player, because the server is in offline mode. Then the premium
78. # players could still join the server, because they have different UUID.
79. #
80. # Moreover, you may want to convert the offline UUID to a premium UUID. This will ensure that the player
81. # will have the same inventory, permissions, ... if they switched to premium authentication from offline/cracked
82. # authentication.
83. #
84. # This feature requires Cauldron, Spigot or a fork of Spigot (Paper)
85. premiumUuid: true
86.  
87. # This will make an additional check (only for player names which are not in the database) against the mojang servers
88. # in order to get the premium UUID. If that premium UUID is in the database, we can assume on successful login that the
89. # player changed its username and then update the name in the database.
90. # Examples:
91. # #### Case 1
92. # autoRegister = false
93. # nameChangeCheck = false
94. #
95. # GameProfile logins as cracked until the player invoked the command /premium. Then we could override the existing
96. # database record.
97. #
98. # #### Case 2
99. # autoRegister = false
100. # nameChangeCheck = true
101. #
102. # Connect the Mojang API and check what UUID the player has (UUID exists => Paid Minecraft account). If that UUID is in
103. # the database it's an **existing player** and FastLogin can **assume** the player is premium and changed the username.
104. # If it's not in the database, it's a new player and **could be a cracked player**. So we just use an offline mode
105. # authentication for this player.
106. #
107. # **Limitation**: Cracked players who use the new username of a paid account cannot join the server if the database
108. # contains the old name. (Example: The owner of the paid account no longer plays on the server, but changed the username
109. # in the meanwhile).
110. #
111. # #### Case 3
112. # autoRegister = true
113. # nameChangeCheck = false
114. #
115. # We will always request a premium authentication if the username is unknown to us, but is in use by a paid Minecraft
116. # account. This means it's kind of a more aggressive check like nameChangeCheck = true and autoRegister = false, because
117. # it requests a premium authentication which are completely new to us, that even the premium UUID is not in our database.
118. #
119. # **Limitation**: see below
120. #
121. # #### Case 4
122. # autoRegister = true
123. # nameChangeCheck = true
124. #
125. # Based on autoRegister it checks if the player name is premium and login using a premium authentication. After that
126. # fastlogin receives the premium UUID and can update the database record.
127. #
128. # **Limitation from autoRegister**: New offline players who use the username of an existing Minecraft cannot join the
129. # server.
130. nameChangeCheck: false
131.  
132. # If your players have a premium account and a skin associated to their account, this plugin
133. # can download the data and set it to the online player.
134. #
135. # Keep in mind that this will only work if the player:
136. # * is the owner of the premium account
137. # * the server connection is established through a premium connection (paid account authentication)
138. # * has a skin
139. #
140. # This means this plugin doesn't need to create a new connection to the Mojang servers, because
141. # the skin data is included in the Auth-Verification-Response sent by Mojang. If you want to use for other
142. # players like cracked player, you have to use other plugins.
143. #
144. # If you use PaperSpigot - FastLogin will always try to set the skin, even if forwardSkin is set to false
145. # It is needed to allow premium name change to work correctly
146. # https://github.com/games647/FastLogin/issues/457
147. #
148. # If you want to use skins for your cracked player, you need an additional plugin like
149. # ChangeSkin, SkinRestorer, ...
150. forwardSkin: true
151.  
152. # Displays a warning message that this message SHOULD only be invoked by
153. # users who actually are the owner of this account. So not by cracked players
154. #
155. # If they still want to invoke the command, they have to invoke /premium again
156. premium-warning: true
157.  
158. # ======[[ Spigot+ProtocolLib users only ]]======
159. # When set to true, enables the use of alternative session resolver which does not send the server IP
160. # to mojang session servers. This setting might be useful when you are trying to run the server via a
161. # transparent reverse proxy or some other form of DNAT. As far as security goes, this setting has
162. # negligible to no security impact.
163. #
164. # This setting works on a similar principle as 'prevent-proxy' setting in server.properties.
165. # When set to false, the server behaves like prevent-proxy was set to true and vice-versa.
166. # Normally, when you use the prevent-proxy=true, you would want this disabled.
167. #
168. # Please note that this setting has no effect when used outside of Spigot+ProtocolLib context.
169. #
170. # !!! [WARNING] !!!
171. # This option is considered highly experimental. While it is highly unlikely this will break your server,
172. # more tests need to be conducted in order to verify its effectiveness. Brief tests seemed promising, but
173. # every environment is different, and so it might not work for you as it did for me.
174. useProxyAgnosticResolver: false
175.  
176. # If you have autoRegister or nameChangeCheck enabled, you could be rate-limited by Mojang.
177. # The requests of the both options will be only made by FastLogin if the username is unknown to the server
178. # You are allowed to make 600 requests per 10-minutes (60 per minute)
179. # If you own a big server this value could be too low
180. # Once the limit is reached, new players are always logged in as cracked until the rate-limit is expired.
181. # (to the next ten minutes)
182. #
183. # The limit is IP-wide. If you have multiple IPv4-addresses you specify them here. FastLogin will then use it in
184. # rotating order --> 5 different IP-addresses 5 * 600 per 10 minutes
185. # If this list is empty only the default one will be used
186. #
187. # Lists are created like this:
188. #ip-addresses:
189. # - 192-168-0-2
190. ip-addresses: []
191.  
192. # How many requests should be established to the Mojang API for Name -> UUID requests. Some other plugins as well
193. # as the head Minecraft block make such requests as well. Using this option you can limit the amount requests this
194. # plugin should make.
195. #
196. # If you lower this value, other plugins could still make requests while FastLogin cannot.
197. # Mojang limits the amount of request to 600 per 10 minutes per IPv4-address.
198. mojang-request-limit: 600
199.  
200. # This option automatically registers players which are in the FastLogin database, but not in the auth plugin database.
201. # This can happen if you switch your auth plugin or cleared the database of the auth plugin.
202. # https://github.com/games647/FastLogin/issues/85
203. auto-register-unknown: false
204.  
205. # By setting this option to false, you can disable the auto login from fastlogin. So a premium (like a paid account)
206. # authentication is requested, but the player won't be auto logged into the account from the auth plugin.
207. #
208. # This can be used as 2Factor authentication for better security of your accounts. A hacker then needs both passwords.
209. # The password of your Minecraft and the password to login in with your auth plugin
210. autoLogin: true
211.  
212. # Floodgate configuration
213. # Connecting through Floodgate requires player's to sign in via their Xbox Live account
214. # !!!!!!!! WARNING: FLOODGATE SUPPORT IS AN EXPERIMENTAL FEATURE !!!!!!!!
215. # Enabling any of these settings might lead to people gaining unauthorized access to other's accounts!
216.  
217. # Automatically log in players connecting through Floodgate.
218. # Possible values:
219. # false: Disables auto login for every player connecting through Floodgate
220. # true: Enables auto login for every player connecting through Floodgate
221. # linked: Only Bedrock accounts that are linked to a Java account will be logged in automatically
222. # no-conflict: Bedrock players will only be automatically logged in if the Mojang API reports
223. # that there is no existing Premium Java MC account with their name.
224. # This option can be useful if you are not using 'username-prefix' in floodgate/config.yml
225. # Requires 'autoLogin' to be 'true'
226. # !!!!!!!! WARNING: FLOODGATE SUPPORT IS AN EXPERIMENTAL FEATURE !!!!!!!!
227. # Enabling this might lead to people gaining unauthorized access to other's accounts!
228. autoLoginFloodgate: false
229.  
230. # This enables Floodgate or Offline Geyser players to join the server, even if they are using the name of an
231. # existing Java **PREMIUM** account (so someone has bought Minecraft with that username)
232. #
233. # Java and Bedrock players will get different UUIDs, so their inventories, location, etc. will be different.
234. # However, some plugins (such as AuthMe) rely on names instead of UUIDs to identify a player which might cause issues.
235. # In the case of AuthMe (and other auth plugins), both the Java and the Bedrock player will have the same password.
236. #
237. # To prevent conflicts from two different players having the same name, it is highly recommended using a
238. # 'username-prefix' in floodgate/config.yml
239. #
240. # Possible values:
241. # false: Kick Bedrock players, if they are using an existing Premium Java account's name
242. # Note: Linked Floodgate players have the same name as their Java profile, so the Bedrock player will always conflict
243. # their own Java account's name. Therefore, setting this to false will prevent any linked player from joining.
244. # true: Bypass name conflict checking.
245. # linked: Floodgate accounts linked to a Java account will be allowed to join with conflicting names
246. # For Offline Geyser players, 'linked' works as 'false'
247. # !!!!!!!! WARNING: FLOODGATE/GEYSER SUPPORT IS AN EXPERIMENTAL FEATURE !!!!!!!!
248. # Enabling this might lead to people gaining unauthorized access to other's accounts!
249. allowFloodgateNameConflict: false
250.  
251. # Automatically register players connecting through Floodgate.
252. # autoLoginFloodgate must be available for the player to use this
253. # Possible values:
254. # false: Disables auto registering for every player connecting through Floodgate
255. # true: Enables auto registering for every player connecting through Floodgate
256. # linked: Only Bedrock accounts that are linked to a Java account will be registered automatically
257. # no-conflict: Bedrock players will only be automatically registered if the Mojang API reports
258. # that there is no existing Premium Java MC account with their name.
259. # This option can be useful if you are not using 'username-prefix' in floodgate/config.yml
260. # Requires 'autoRegister' to be 'true'
261. # !!!!!!!! WARNING: FLOODGATE SUPPORT IS AN EXPERIMENTAL FEATURE !!!!!!!!
262. # Enabling this might lead to people gaining unauthorized access to other's accounts!
263. autoRegisterFloodgate: false
264.  
265. # This option resembles the vanilla configuration option 'enforce-secure-profile' in the 'server.properties' file.
266. # It verifies if the incoming cryptographic key in the login request from the player is signed by Mojang. This key
267. # is necessary for servers where you or other in-game players want to verify that a chat message sent and signed by
268. # this player is not modified by any third-party. Modifications by your server would also invalidate the message.
269. #
270. # This feature is only relevant if you use the plugin in ProtocolLib mode and use 1.19+.
271. # This also the case if you don't have any proxies in use.
272. verifyClientKeys: false
273.  
274. # Database configuration
275. # Recommended is the use of MariaDB (a better version of MySQL)
276.  
277. # Single file SQLite database
278. driver: 'sqlite'
279. # File location
280. database: '{pluginDir}/FastLogin.db'
281.  
282. # MySQL/MariaDB
283. # If you want to enable it, uncomment only the lines below; this not this line.
284. # If on velocity use 'mariadb' as the driver
285. #driver: 'mysql'
286. #host: '127.0.0.1'
287. #port: 3306
288. #database: 'fastlogin'
289. #username: 'myUser'
290. #password: 'myPassword'
291.  
292. # Advanced Connection Pool settings in seconds
293. #timeout: 30
294. #lifetime: 30
295.  
296. ## It's recommended to enable SSL if the MySQL server isn't running on the same host
297. ## This will encrypt the connection for secure transportation of the sql server password
298. #useSSL: false
299. ## Verification requirements for the server cert,
300. ## Values: Required (unchecked SSL connection), VerifyCA (verify CA), VerifyFull (verify CA and matching hostname)
301. #sslMode=Required
302. ## TLS is preferred for this technique, then your host stored certificate store will be used to verify the server cert
303. ## Similar to HTTPS. If that's not possible RSA can be used with the following options.
304. ## This allows to request the public RSA key from the server to encrypt the data to it. True would allow machine-in-the-
305. ## middle attacks.
306. #allowPublicKeyRetrieval=false
307. ## Path to the RSA public key if key retrieval is forbidden
308. #ServerRSAPublicKeyFile=
309.  
310. # HTTP proxies for connecting to the Mojang servers in order to check if the username of a player is premium.
311. # This is a workaround to prevent rate-limiting by Mojang. These proxies will only be used once your server hit
312. # the rate-limit or the custom value above.
313. # Please make sure you use reliable proxies.
314. proxies:
315. # 'IP:Port' or 'Domain:Port'
316. # - 'xyz.com:1337'
317. # - 'test.com:5131'
318.