GitHub - cmxci/antimsban: Fabric mod to (maybe) ignore global bans while still using the auth server

This repository has been archived by the owner on Nov 28, 2022. It is now read-only.

cmxci / antimsban Public archive

Notifications You must be signed in to change notification settings
Fork 0
Star 14

Fabric mod to (maybe) ignore global bans while still using the auth server

MIT license

14 stars 0 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
gradle/wrapper		gradle/wrapper
src/main		src/main
.gitignore		.gitignore
LICENSE		LICENSE
README		README
build.gradle		build.gradle
gradle.properties		gradle.properties
gradlew		gradlew
settings.gradle		settings.gradle

Repository files navigation

=== SECURITY WARNING ===
DO NOT USE THIS MOD IF YOU DO NOT 100% TRUST THE SERVER NOT TO STEAL YOUR ACCOUNT. This mod is not secure because servers will unavoidably have the opportunity to steal access tokens (because they have to be sent to the auth server decrypted), and this implementation is currently vulnerable to man-in-the-middle attacks. If, while using this mod, you do join a server that you do not trust completely, you will need to invalidate your access token. In the official launcher, this can be done by signing out. In MultiMC, you can also sign out, or you can use the 'Refresh' button in the account manager. These actions will cause a new access token to be generated and invalidate the old one.

This is a fabric mod to ignore the global ban system. It must be installed on both the client and the server to ignore bans, but vanilla clients will be able to connect to a server running this mod. A client running this mod will not be able to connect to a server without this mod.

This mod works by sending the information used by the client for authentication to the server. The server then authenticates as a client, ignoring any ban or insufficient privilege errors. This works because when a client authenticates usiong the /join API endpoint, the error is specific. If the error is a ban error, then it can be ignored by the client if the client is modified to do so. However, servers use the /hasJoined API endpoint. That endpoint returns nothing if it is unsuccessful, so servers have no way to tell if a client is banned. This mod changes that by having servers try authenticating using what is normally client-side information before disconnecting the client. If that authentication process returns a ban error (or an insufficient privileges error, I felt like disabling those as well), then it will be ignored and the client will be allowed to join.

This mod has recieved very little testing. I only know that an unbanned client can connect to a server. I assume that nobody wants to get banned for testing purposes, so we'll have to wait and see if it actually works.