Releases: schooldevontop/MoontrixLogin
Releases · schooldevontop/MoontrixLogin
Release list
MoontrixLogin v1.5.0
Stable release with major compatibility and deployment improvements.
Highlights
- Finalized version
1.5.0(removed beta labeling in build metadata). - Added full admin subcommands under
/moontrixlogin:force_loginforce_logoutinforeload
- Added runtime hot-reload support for key modules:
- security
- antiBot
- rememberMe/JWT
- listeners + command rebinding
Compatibility
- Declared support for Bukkit ecosystem variants:
- Bukkit
- Spigot
- Paper
- Purpur
- Pufferfish
- Folia
- Added compatibility matrix CI with API profiles across JDK versions.
- Added runtime smoke-test workflow for:
- Paper
- Purpur
- Folia (runtime job currently pinned to
1.20.1)
Java Target Refactor
- Refactored project to Java 8 target bytecode.
- Updated dependencies to Java 8-compatible versions.
- Removed Java 11+/16+ language/API usage:
record,var, pattern matchinginstanceofString.isBlank,Optional.isEmpty,Map.of,CompletableFuture.failedFuturejava.net.httpmigrated toHttpURLConnection
Security / Stability
- Hardened AbuseIPDB integration:
- fail-open behavior on timeout/rate-limit/errors
- backoff caching
- duplicate-refresh protection
- Improved reload observability with detailed per-module logs.
- Added explicit config guidance for required
MOONTRIX_JWT_SECRET.
Localization
- Added dual-language message support via config:
language: "en"orlanguage: "vi"
- Message loader now resolves language file dynamically with fallback to English.
Templates & Resources
- Removed deprecated root email templates.
- Upgraded active templates in
templates/with professional HTML/CSS styling. - Cleaned old artifacts and standardized packaged output naming.
Notes
- If upgrading from older releases, review
config.ymlfor new/updated keys (especially language and antiBot/AbuseIPDB options). - For CI/runtime claims, see workflows:
compat-matrix.ymlruntime-smoke.yml
MoontrixLogin v1.5.0-beta
Major beta update focused on security hardening, runtime compatibility, and operational reliability.
Highlights
- Security architecture significantly upgraded.
- Runtime compatibility target extended to 1.8 -> 1.21.11.
- Improved session protection, brute-force defense, and secret management.
Added
- Remember Me login with signed JWT:
/login <password> [totp] [remember]
- Multi-factor session validation:
- IP prefix
- Device fingerprint
- JWT claim verification
- Runtime server version compatibility logging:
- explicit logs for legacy, supported, and newer-than-tested versions
- Secret reference support in config:
${ENV:...}${AES_GCM:...}${VAULT:path#field}
- Anti-bot upgrades:
- adaptive CAPTCHA
- device fingerprint failure tracking
- optional AbuseIPDB reputation checks
- Security automation:
- OWASP dependency-check integration
- Dependabot configuration
- security workflow updates
Changed
- Caffeine caching integrated and tuned for high-load usage.
- HikariCP pool tuning improved:
- pool sizing
- keepalive
- timeout tuning
- leak detection
- high-usage warning logs
- Remember token persistence upgraded:
- stored in
remember-tokens.properties - encrypted at rest (AES-GCM) when JWT secret is configured
- unreadable token file is quarantined (
.invalid-<timestamp>)
- stored in
- Plugin metadata updated to version 1.5.0-beta.
Security
- Plaintext secrets are no longer the recommended path.
- Secret reference resolution is now fail-fast with explicit startup logs.
- Progressive brute-force lock schedule:
1h -> 24h -> 7d -> permanent
- Stricter session invalidation on context mismatch.
Compatibility
- Legacy-compatible API baseline adopted.
plugin.ymlno longer hard-locks modernapi-version.- Target server range: Spigot/Paper/Purpur 1.8 to 1.21.11.
Upgrade Notes
- Set a strong JWT secret before enabling remember-me.
- Rotating JWT secret invalidates existing remember tokens by design.
- Review updated config and hardening docs:
src/main/resources/config.ymldocs/HARDENING_GUIDE.md
MoontrixLogin v1.0.0 – Initial Release
MoontrixLogin v1.0.0
Initial public release.
Highlights
- Secure authentication with BCrypt
- Session tracking with IP/UUID validation
- Anti-bot & brute-force protection
- MySQL and SQLite support
- Email verification & password recovery
- Optional TOTP (2FA) and captcha
- Configurable messages and rules
Technical
- API Version: 1.21.x
- Compatible: Spigot / Paper / Purpur / Folia
- Requires Java 21+
Notes
- Always back up your database before updating.