Web - Authentication

[DeJayDev]

Authentication is labeled with a ? making it seem like it may or may not be added when I believe it's a requirement.

You could tie accounts to the account creators UUID and do permission lookups in game to validate a user can/can't handle appeals. I think it would be interesting to handle access management through the server's preexisting permissions system, as opposed to other solutions like XenForo or even Enjin which required you to manage your groups and their access level independently of the systems you may have in place.

Let's say, absolute worst case scenario, a moderators password is leaked. Rather than scrambling to revoke this moderators access, it would be perhaps more appropriate to completely remove their role and have it "done".

This model could perhaps also make the future goal of going SaaS easier by allowing the services IP range to access the Minecraft Servers permissions database. Those on shared hosts wouldn't have to worry about allowing a custom IP range, but those with a more advanced security system would have their piece of mind.

[ParadauxIO]

Authentication was labeleld with a ? to indicate a discussion needed to be open to discuss its implementation, which I suppose this fulfills. The issue is purely on the web-side of things, currently I'm thinking of something akin to the luckperms viewer, which gives users a code to execute (which is simply a bytebin slug with the necessary information to create a session)

I think such a system should be adequate for our purposes, although I have done a tentative look into Microsoft/mojang oauth and didn't find any satisfactory option there, provided most haven't switched to MS for their MC accounts, myself included.

The issue isn't who can manage appeals, it's how we verify they are who they say they are, and I have a few ideas for this

• User generates authentication token for their UUID/username in-game, which will be hashed/salted and used to lin
• A user runs a command to generate a unique session, akin to luckperms
• Some form of oauth, via discord/mcauth or something

If something like a moderator's password is leaked we will be providing the ability to revert all actions done by a UUID or username in the last x timeperiod, and revoking things like generated tokens, that will be a given, I think it's fair to say.

The SaaS thing is only a loose idea, and not something we're considering for a 1.0, however this will likely be done via the baked in RESTful API the plugin will have, and things like IP restrictions from the servers themselves shouldn't strictly be necessary, but could be implemented if requested, I'm sure.