MoontrixLogin v1.5.0-beta
Major beta update focused on security hardening, runtime compatibility, and operational reliability.
Highlights
- Security architecture significantly upgraded.
- Runtime compatibility target extended to 1.8 -> 1.21.11.
- Improved session protection, brute-force defense, and secret management.
Added
- Remember Me login with signed JWT:
/login <password> [totp] [remember]
- Multi-factor session validation:
- IP prefix
- Device fingerprint
- JWT claim verification
- Runtime server version compatibility logging:
- explicit logs for legacy, supported, and newer-than-tested versions
- Secret reference support in config:
${ENV:...}${AES_GCM:...}${VAULT:path#field}
- Anti-bot upgrades:
- adaptive CAPTCHA
- device fingerprint failure tracking
- optional AbuseIPDB reputation checks
- Security automation:
- OWASP dependency-check integration
- Dependabot configuration
- security workflow updates
Changed
- Caffeine caching integrated and tuned for high-load usage.
- HikariCP pool tuning improved:
- pool sizing
- keepalive
- timeout tuning
- leak detection
- high-usage warning logs
- Remember token persistence upgraded:
- stored in
remember-tokens.properties - encrypted at rest (AES-GCM) when JWT secret is configured
- unreadable token file is quarantined (
.invalid-<timestamp>)
- stored in
- Plugin metadata updated to version 1.5.0-beta.
Security
- Plaintext secrets are no longer the recommended path.
- Secret reference resolution is now fail-fast with explicit startup logs.
- Progressive brute-force lock schedule:
1h -> 24h -> 7d -> permanent
- Stricter session invalidation on context mismatch.
Compatibility
- Legacy-compatible API baseline adopted.
plugin.ymlno longer hard-locks modernapi-version.- Target server range: Spigot/Paper/Purpur 1.8 to 1.21.11.
Upgrade Notes
- Set a strong JWT secret before enabling remember-me.
- Rotating JWT secret invalidates existing remember tokens by design.
- Review updated config and hardening docs:
src/main/resources/config.ymldocs/HARDENING_GUIDE.md