next »

[grosbedo]

Hello there,

First, cheers to the B3 team who has done a great job making this great framework.
Secondly, thank's to this post, it saved me a lot of time :
http://www.bigbrotherbot.net/forums/the-code-bin/converting-simple-modifications-into-plugins/msg0/?boardseen#new

Third, thank's to Courgette for his fast replies and his dedication.

And last : here's my plugin.

Dynamic Login v0.8.1 (2010-08-17)

Download
Primary : http://www.bigbrotherbot.net/forums/downloads/?sa=view;down=73
Mirror : http://superbots.org/modules.php?name=Downloads&op=getit&lid=27

Description

This plugin basically fills the login and password fields in the database with !regaccount
and when you issue a !loginaccount, it gives you the privileges associated with your old account, by either duplicating them, or either by merging your new account with the old one ( by replacing your old IP and GUID with your current one, and place your current name as an alias, so you get your privileges back while permitting the tracking of the alias).

This permits you to create a secure login system for virtually any game that B3 can parse.

Features

Three login system types :
* 0 : No saving (aka rcon-like) : several users can use the same account at the same time and _don't store_ the privileges in the database. User will have to issue a !loginaccount each time he connects to the server to get his privileges.
* 1 : No duplicate mode : only one user can use the same account at a time. Merge current account with old one, and fix all the aliases (redirect new aliases to the old account). More secure as it avoid leaving the old account with an old IP and guid (so noone but the last logged user can use this account).
* 2 : Duplicate mode : several users can use the same account at the same time and _store_ the privileges, so logged user won't have to relog anymore. Don't merge the accounts, keep the old account but give the same privileges as old account to the current one. Less secure because if someone luckily gets your old IP or guid, one can use your old account. But it permits to set generic accounts : you set one login and password that you give to all your admins, and they will be able to associate their current account to the privileges, without an admin being present on server.

Manage accounts :
* Easily create/edit/register/login accounts in-game

Secure :
* Use /tell or /m to privately send your login infos to the bot
* Accounts duplication and merging are logged in a history.

* Security fallback measure on public revealing of an account credentials :
          .If someone inadvertently use /say or /say_team instead of /tell, then there are great chances the account is leaked, and anyone can use its credentials.
          .With this feature enabled, if the script detect that such a leak is possible, the account password is automatically changed to the securitysecretpass and an alert is outputted in the log for an admin to verify it.
          .You can customize the expression that will be checked for a security fallback.

Changelog

Code:

2010-08-09 - v0.6 - GrosBedo
- first public release, with 3 different login types.

2010-08-09 - v0.7 - GrosBedo
- added login history for type 0
- added !setaccount to change account's passwords
- added a security fallback measure if someone publicly reveals its account password
- login history now checks that old account id is not already associated with current user (avoid duplicates)
- fixed a minor bug in generating timestamp for the login history db

2010-08-11 - v0.8 - GrosBedo
- added !createaccount command to create dummy accounts for duplication (login system type 0 and 2)

2010-08-17 - v0.8.1 - GrosBedo
 - moved security fallback regexp to xml config file, and can now add more than one
 - commands moved to the config file

Enjoy !

GrosBedo

[attachment deleted by maintenance]

[Courgette]

nice work. http://www.bigbrotherbot.net/forums/downloads/?sa=view;down=73

[grosbedo]

nice work. http://www.bigbrotherbot.net/forums/downloads/?sa=view;down=73

Thank's

Ah and just to precise : this work is under the same license as B3 (GPL v2 ?).

[Courgette]

As a matter of fact, B3 being under GPLv2, all plugins developped for B3 must have a GPL compatible license. More info on : http://www.bigbrotherbot.net/forums/plugin-developers/b3-and-the-gnu-general-public-license/msg8476/#msg8476

[grosbedo]

Released v0.7, which adds 2 major features :

- !setaccount to change an account password depending on the login supplied and your rights (you can only change the password of an account lower or equal in privileges to yours).

- Security fallback measure : prevents leakage of accounts, by changing password automatically if someone use /say or /say_team instead of /tell or /m. Of course, the validity of the submitted informations is verified, so that noone can abuse of the system by resetting all accounts. Thank's to Heap for the idea.

Note : Of course, you can disable and tweak all those settings in the provided conf/dynamiclogin.xml
For example, you can still permit people to use /say and /say_team to login by setting "security" parameter to False (default).

Can someone update the official download page by updating the package and linking to this thread please ?

[Courgette]

you can update the files in the download section yourself

[grosbedo]

you can update the files in the download section yourself

Weird, I tried the other day but couldn't find the way to do it ?

/Edit : I still can't figure out how, there's no edit button anyway, and in MyFiles i can only add a new file.
Do I make a new download and it will replace the old one ?

[Courgette]

there should be a edit link somewhere. I'll get Xlr8or attention on that matter.

[xlr8or]

Okay, you should be able to edit your own downloads now.

[grosbedo]

Ok, updated, thank's ! It just waits for approval now

[grosbedo]

Updated v0.8, added a !createaccount command to easily create dummy accounts ingame.

Supplied a readme too.

[grosbedo]

Update v0.8.1 :

2010-08-17 - v0.8.1 - GrosBedo
 - moved security fallback regexp to xml config file, and can now add more than one
 - commands moved to the config file

[grosbedo]

A small change of the regexp that I will not put in the archive because Im too lazy to repackage everything for that :

In conf/dynamiclogin.xml, change

Code: xml

.*($action!lo[g]+ina[c]+ount)\s+($username[a-z0-9_]+)\s+($password[a-z0-9_]+).*

Into :

Code: xml

.*($action(!|@)?lo[g]+ina[c]+ount)\s+($username[a-z0-9_]+)\s+($password[a-z0-9_]+).*

This will permit to detect cases where the user forget to put the !...

[learco]

i can't understand different between *0 *1 and *2;
in *2 several accounts have to change ip in order to relog?
in *0 every time do you join on the server?
in *1 only an account can use an old account?
is this about?

[grosbedo]

in *0 every time do you join on the server?

Yes, just like a RCON, you do have to login each time you rejoin the server.

This is kind of different from how B3 usually works : normally, an admin setup an account once (with !putgroup), and then the user gets automatically his privileges each time he connects to the server. With DynamicLogin set to type 0, this system won't be used (you can still use it at the same time though), and instead, you give a password to each of your members, and they have to login each time they want to get their privileges.

On the other way, the two other types of DynamicLogin works in a similar way than B3 normal behaviour.

in *1 only an account can use an old account?

Yes, let's put an example : you are a superadmin, but you have a dynamic IP and guid. You set a username and password with !regaccount.

When your IP and guid change, B3 won't recognize you as a superadmin anymore. Then, you simply have to use !loginaccount with your previously set username and password, and you get back all your superadmin status and privileges !

What technically happens is that, with type 1, when you login, the database will be updated with your new ip and guid.

Since the database is updated, next time you reconnect to the server, you won't have to relogin (except if your ip and guid change), B3 will automatically recognize you (even if you disable the plugin).

in *2 several accounts have to change ip in order to relog?

No, type 2 is similar to type 1, in the sense that it will update the database informations. But here, instead of updating, it will duplicate the privileges to you.

The effect is the same : once you !loginaccount with type 2, you get automatically recognized by B3 next time.

The difference here with type 1, is that with type 2, several different players can get the same privileges, while with type 1, only one will at a time.

An example : you play with 3 different computers : one at home, one at school and one at work. Thus, you have 3 different IPs and GUIDs, but you want to get your privileges back from each of these locations. With type 1, each time you change location, you will have to !loginaccount to get your rights (because each time you login, you will remove your previous location informations and update with new ones). With type 2, you !loginaccount once for each location (so 3 times in total), and then you will never have to !loginaccount again ! (because here you duplicate the informations, so the old ones are still valid).

---------------------------------

I think that for most uses, type 0 fits. It's the simplest to use and to apprehend.