Client server model authentication

Discussion in 'Spigot Plugin Development' started by XlordalX, May 1, 2015.

  1. Hello,

    I am creating a client server model where BungeeCord is the server and the servers are the clients. This all works but I need something like an authenticators so not everyone can just connect with the server and send random data. I was thinking of sending an authentication request to the server and only allow clients which are authenticated to send data to the server.With authenticating I do not mean having different accounts and such, there would only be one which each client would use to authenticate. Although I don't know if this is the best way to do it and if it's safe.

    Is this a good way to do it or should I do it on another way?

    Thanks in advance.
     
  2. You could just whitelist all the clients as you know what ip they will all be comnecting from.
     
  3. This with a 2 step auth. For example, give them a unguessable password (just make it long enough), and on the first step send it to the server.

    Server checks this password, if valid, sends a random token which the client has to use to authenticate itself during further requests.

    This is in order to prevent IP spoofing. Note that the client password could as well be an API key or something alike, as long as the server and client are the only ones who know about it.
     
    • Like Like x 1
  4. (Just FYI: I already did your plugin in the past. It can be found here)
    I would prefer always sending a password with every packet!
     
  5. How would this random token prevent IP spoofing though?
     
  6. If you spoof your IP you won't be getting the response, as that goes to the IP you are spoofing. Thus, the attacker will never get the token. The attacker can still guess the token in his attacks, but giving the token a short TTL and/or limiting the amount of invalid requests from an IP will limit that a lot.
     
    • Like Like x 1
  7. Makes sense, thank you.