diff --git a/CHANGELOG.md b/CHANGELOG.md index dbcf2397..0a51eda7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Fixed false positive `OnNPCAddBuff` detection when throwing rotten eggs at town NPCs while wearing Frost armor set. (@moisterrific) * Moved the emoji player index check into a new class of handlers called `IllegalPerSe`, which is designed to help isolate parts of TShock and make it so that "protocol violations" are treated separately from heuristic based anti-cheat checks. (@hakusaro) * Changed `TSPlayer.FindByNameOrID` so that it will continue searching for players and return a list of many players whem ambiguous matches exist in all cases. Specifically, this avoids a scenario where a griefer names themselves `1` and is difficult to enact justice on, because their name will not be found by the matching system used to kick players. To help with ambiguity, this method now processes requests with prefixes `tsi:` and `tsn:`. `tsi:[number]` will process the search as looking for an exact player by ID. `tsn:` will process the search as looking for an exact name, case sensitive. In both cases, the system will return an exact result in the "old-style" result, i.e., a `List` with exactly one result. For example, `/kick tsid:1` will match the player with the ID `1`. `/kick tsn:1` will match the username `1`. In addition, players who attempt to join the server with the name prefixes `tsn:` and `tsi:` will be rejected for having invalid names. (@hakusaro, @Onusai) +* Added warnings for conditions where a password is set at runtime but can be bypassed. The thinking is that if a user sets a password when they're booting the server, that's what they expect to be the password. The only thing is that sometimes, other config options can basically defeat this as a security feature. The goal is just to communicate more and make things clearer. The server also warns users when UUID login is enabled, because it can be confusing and insecure. (@hakusaro, @Onusai) ## TShock 4.5.3 * Added permissions for using Teleportation Potions, Magic Conch, and Demon Conch. (@drunderscore) diff --git a/TShockAPI/TShock.cs b/TShockAPI/TShock.cs index 89e57ba0..c2bfbc39 100644 --- a/TShockAPI/TShock.cs +++ b/TShockAPI/TShock.cs @@ -824,10 +824,45 @@ namespace TShockAPI if (!string.IsNullOrEmpty(Netplay.ServerPassword)) { //CLI defined password overrides a config password + if (!string.IsNullOrEmpty(Config.Settings.ServerPassword)) + { + Log.ConsoleError("!!! The server password in config.json was overridden by the interactive prompt and will be ignored."); + } + + if (!Config.Settings.DisableUUIDLogin) + { + Log.ConsoleError("!!! UUID login is enabled. If a user's UUID matches an account, the server password will be bypassed."); + Log.ConsoleError("!!! > Set DisableUUIDLogin to true in the config file and /reload if this is a problem."); + } + + if (!Config.Settings.DisableLoginBeforeJoin) + { + Log.ConsoleError("!!! Login before join is enabled. Existing accounts can login & the server password will be bypassed."); + Log.ConsoleError("!!! > Set DisableLoginBeforeJoin to true in the config file and /reload if this is a problem."); + } + _cliPassword = Netplay.ServerPassword; Netplay.ServerPassword = ""; Config.Settings.ServerPassword = _cliPassword; } + else + { + if (!string.IsNullOrEmpty(Config.Settings.ServerPassword)) + { + Log.ConsoleInfo("A password for this server was set in config.json and is being used."); + } + } + + if (!Config.Settings.DisableLoginBeforeJoin) + { + Log.ConsoleInfo("Login before join enabled. Users may be prompted for an account specific password instead of a server password on connect."); + } + + if (!Config.Settings.DisableUUIDLogin) + { + Log.ConsoleInfo("Login using UUID enabled. Users automatically login via UUID."); + Log.ConsoleInfo("A malicious server can easily steal a user's UUID. You may consider turning this option off if you run a public server."); + } // Disable the auth system if "setup.lock" is present or a user account already exists if (File.Exists(Path.Combine(SavePath, "setup.lock")) || (UserAccounts.GetUserAccounts().Count() > 0))