Skip to content

MoontrixLogin v1.5.0-beta

Choose a tag to compare

@schooldevontop schooldevontop released this 14 Feb 04:27
62f0d4a

Major beta update focused on security hardening, runtime compatibility, and operational reliability.

Highlights

  • Security architecture significantly upgraded.
  • Runtime compatibility target extended to 1.8 -> 1.21.11.
  • Improved session protection, brute-force defense, and secret management.

Added

  • Remember Me login with signed JWT:
    • /login <password> [totp] [remember]
  • Multi-factor session validation:
    • IP prefix
    • Device fingerprint
    • JWT claim verification
  • Runtime server version compatibility logging:
    • explicit logs for legacy, supported, and newer-than-tested versions
  • Secret reference support in config:
    • ${ENV:...}
    • ${AES_GCM:...}
    • ${VAULT:path#field}
  • Anti-bot upgrades:
    • adaptive CAPTCHA
    • device fingerprint failure tracking
    • optional AbuseIPDB reputation checks
  • Security automation:
    • OWASP dependency-check integration
    • Dependabot configuration
    • security workflow updates

Changed

  • Caffeine caching integrated and tuned for high-load usage.
  • HikariCP pool tuning improved:
    • pool sizing
    • keepalive
    • timeout tuning
    • leak detection
    • high-usage warning logs
  • Remember token persistence upgraded:
    • stored in remember-tokens.properties
    • encrypted at rest (AES-GCM) when JWT secret is configured
    • unreadable token file is quarantined (.invalid-<timestamp>)
  • Plugin metadata updated to version 1.5.0-beta.

Security

  • Plaintext secrets are no longer the recommended path.
  • Secret reference resolution is now fail-fast with explicit startup logs.
  • Progressive brute-force lock schedule:
    • 1h -> 24h -> 7d -> permanent
  • Stricter session invalidation on context mismatch.

Compatibility

  • Legacy-compatible API baseline adopted.
  • plugin.yml no longer hard-locks modern api-version.
  • Target server range: Spigot/Paper/Purpur 1.8 to 1.21.11.

Upgrade Notes

  • Set a strong JWT secret before enabling remember-me.
  • Rotating JWT secret invalidates existing remember tokens by design.
  • Review updated config and hardening docs:
    • src/main/resources/config.yml
    • docs/HARDENING_GUIDE.md