Allow correct handling UUIDs on a mixed-mode server

[k-jiang]

I have noticed that after setting enable-uuid-support: true, LockettePro can not let offline(cracked) players access to any chests/doors with their name correctly writen on signs. But It is no problem with premium players.

So I'm guessing this is the problem with UUIDs handling inside of LockettePro (not detecting offline player's UUIDs for example). Could you please add support of "offline UUIDs" when enable-uuid-support is set to true? Our server is running on a kind of mixed-mode which allows both premium and offline players join the server. By using a plugin called "FastLogin" (https://www.spigotmc.org/resources/fastlogin.14153/), my offline(cracked) users can have their offline-uuid and all my premium can keep their online-UUIDs(UUIDs assigned by Mojang) allowing them to change names on Mojang.

FastLogin is a great plugin. It is very useful when we decided to switch to online mode without losing all of the previous players we had. I believed that that are a lot of servers using this type of plugin as well. So please consider this feature.

A possible way to support such a feature is just to read the player UUIDs from the server. So LockettePro don's have to query the Mojang API every time when checking "who can open the chest". All you have to do is to get the player's UUID from bukkit/spigot directly then compare it to the storage.

Another way I could think of is to try to generate the offline UUID by name (https://gist.github.com/games647/2b6a00a8fc21fd3b88375f03c9e2e603). Then compare it with the player after he/she failed the premium-UUID check.

Thank you! And if you need any tests please ask me at any time. I can put you dev builds on my server for trial :)

[connection-lost]

I used to think UUID generated by offline servers are using md5("OfflinePlayer:<player name>") automatically. I will look into this case.

I'm currently on vacation though :(

[connection-lost]

I have just done some research regarding your situation, please confirm the following first:

1. You have a mixed-mode server that allows both online-mode players and offline-mode players...
2. ...by using a helper plugin "FastLogin". Similar plugin I can think of could be "AutoIn" etc..
3. FastLogin requires your server to be set in "online-mode: false"
4. Your player with legitimate Mojang login cannot open their locked chests once they changed their name. Players logged in offline are not affected since their name will always stays the same.

There are some issue:

1. If you set your server to "online-mode: false", all UUID generated by the server will be something like "md5("OfflinePlayer:") ". Which means this UUID is non-reversible. If a player have changed their name, it is impossible for them to open their chest again because their chest lock has bound to their old name.
2. "online-mode: false" servers will not attempt to grab the correct UUID for Mojang login players, and it is hard for LockettePro to know which player has logged in via Mojang.

My current proposed solution will be incompatible with all currently owned signs for Mojang login users, as well as probably not able to support all "mixed-mode server" plugins. TBH I don't really think it will worth the effort, but pull requests are welcomed.

[k-jiang]

Confirm:
4. This happened when enable-uuid-support: false is set on LockettePro config.yml. However, if I set this option to true, then only the legitimate player could access their chests.

About issues:
2. It is only true to cracked players. With FastLogin (or AuthIn you mentioned) integrated, legitimate players can still have their online-type UUID associated with even if online-mode: false. At least on my server, all of my legit players has their own legit UUID and all the data are stored in this type of UUID as well with no problems. That also means they can definitely change their name through Mojang without losing any saved data. So that is why I'm guessing you could just read the player's UUIDs directly from Spigot.

I don't know how does LockettePro store UUID or how it verify player's UUID because I'm sucked with Java programming. But if simply read from the Spigot does not work for you, I suggest you to try to generate the offline-UUID manually (through md5 as you said) and compare it again after LockettePro failed to verify the legit one in the first place. It is also a safe way to do because the chance of md5 collision is extremely low. Btw this feature should only be enabled at when enabled-uuid-support: true of course.

In the case of "what if a mixed-mode server decided to use cracked UUID for its own legit players", idk man what's wrong with those servers. If they choose to stick with cracked UUIDs anyway then they should also expect and disallow players change their name as well.

Please tell me if you have any thoughts. I will share my ideas as well.

p.s. Just a reminder: you forgot to fix #30 in the last comments.

[connection-lost]

I just came up with an idea, but I need to verify it first.

For #30, sorry :(

[connection-lost]

Sorry, but this idea will be longer considered.