Bungee commands not protected by 2FA after spigot server restart.
Closed this issue · 6 comments
Describe the bug
When spigot server restart (after bungee on), we could execute bungee command by 2FA protected account.
How To Reproduce
- Start bungee (or flamecord we use flamecord for network protection) with 2FA installed.
- Start one or two spigot server (after bungee !) with 2FA installed and one account configured.
- We could execute bungee command like /server.
Expected behavior
- Should not execute bungee command when account is protected by 2fa and not unlocked.
Screenshots and Videos
Server Information
- OS: [e.g. Ubuntu 18, CentOS 7] - Debian 10
- Java Version: [e.g. Java 16] - Java 11 with 1.12.2 or 1.16.5 and Java 8 with 1.8.8
- Plugin Version: Latest
- Plugin List: issue can be reproduced without any plugins
- Using Bungeecord? Yes Flamecord
- Loaded Bungeecord? Yes
Additional context
Thanks for reporting the bug. I'll try to find out what's causing it :)
I was messing with 2FA and encountered something which I believe relates to this issue.
I am using the latest 2FA version (1.5.3). The mentioned server runs on Pterodactyl (Server Management Panel) using Java version 1.8.0_282.
I was messing with the messages.yml file on a single server (Setting up 2FA, single entry point for all servers) and I was getting an issue regarding the messages.yml file 'resetting to default messages' when attempting to execute Bungeecord commands when the user is not authenticated. It turns out that when I start Bungeecord (or Waterfall, as is my case) after the server is started, it loads and uses the files in the Bungeecord 2FA folder, including its messages.yml file for Bungeecord stuff (causing my prior issue when attempting to execute Bungeecord commands) and potentially activating this Bungeecord command execution protection. As fhebuterne's reproduction steps state (and I myself have confirmed), starting the server after starting Bungeecord, it seems to ignore the Bungeecord files on the server itself, allowing Bungeecord command execution... Maybe it's not detecting/loading the Bungeecord files in conjunction on boot?
I believe the current workaround is to start/restart Bungeecord after starting your server(s) to apply the Bungeecord files (and in theory, its Bungeecord command execution protection).
Hope this helps.
I was messing with 2FA and encountered something which I believe relates to this issue.
I am using the latest 2FA version (1.5.3). The mentioned server runs on Pterodactyl (Server Management Panel) using Java version 1.8.0_282.
I was messing with the messages.yml file on a single server (Setting up 2FA, single entry point for all servers) and I was getting an issue regarding the messages.yml file 'resetting to default messages' when attempting to execute Bungeecord commands when the user is not authenticated. It turns out that when I start Bungeecord (or Waterfall, as is my case) after the server is started, it loads and uses the files in the Bungeecord 2FA folder, including its messages.yml file for Bungeecord stuff (causing my prior issue when attempting to execute Bungeecord commands) and potentially activating this Bungeecord command execution protection. As fhebuterne's reproduction steps state (and I myself have confirmed), starting the server after starting Bungeecord, it seems to ignore the Bungeecord files on the server itself, allowing Bungeecord command execution... Maybe it's not detecting/loading the Bungeecord files in conjunction on boot?
I believe the current workaround is to start/restart Bungeecord after starting your server(s) to apply the Bungeecord files (and in theory, its Bungeecord command execution protection).
Hope this helps.
Thank you for the thorough explanation!
I'll give it a look this weekend and hopefully figure out what's causing the issue :)
Just tested 2FA version 1.5.5 and it appears to have fixed this issue, though I only tested it with the /server command. Testing it with the server started after Bungeecord it works as intended, it gives the authenticate message instead of a successfully executed Bungeecord command. Testing it with Bungeecord started after the server provides the same result. I would advise further testing with the rest of the Bungeecord commands before calling this issue off for good, but I feel confident at this time that it is fixed. Thx fam! (lol)
Just tested 2FA version 1.5.5 and it appears to have fixed this issue, though I only tested it with the /server command. Testing it with the server started after Bungeecord it works as intended, it gives the authenticate message instead of a successfully executed Bungeecord command. Testing it with Bungeecord started after the server provides the same result. I would advise further testing with the rest of the Bungeecord commands before calling this issue off for good, but I feel confident at this time that it is fixed. Thx fam! (lol)
awesome. I wanted to close this issue but got a similar complaint after the new release.
I'll give it another look before calling it off for good like you said, but it seems promising :)
Should be fixed :)