Перейти к содержимому
Mineforgian

Login+

Best new gen auth plugin to your servers !

Загрузки
159
Подписчики
1
Обновлён
10 июня 2026 г.
Лицензия
All-Rights-Reserved

Опубликован 10 июня 2026 г.

🔐 Login+

Register once, stay protected forever. Login+ is a modern authentication plugin for offline-mode servers — passwords, sessions, free 2FA and full account protection in one jar for Spigot/Paper 1.8.8 → 1.21+.

Written in Kotlin, runs fully server side, so every client and every client version is supported. No mods, no datapacks, no paid services — drop the jar in, restart, done.

🛡️ Your players' passwords are protected with Argon2id — winner of the Password Hashing Competition and OWASP's #1 recommendation. Its memory-hard design makes large-scale GPU brute-force attacks impractical. Passwords are never stored as readable text — not even the server owner can recover them.


✨ Features

  • 🔑 Argon2id password hashing — the strongest password protection available today, with OWASP-baseline defaults you can raise in the config
  • ⏱️ Sessions — reconnect within 15 minutes (configurable) from the same IP and skip the login. Survives server restarts
  • 📱 Free 2FA — three flavours:
    • Google Authenticator (TOTP) — works 100% offline, the QR code is rendered on an in-game map item for easy scanning
    • Discord — your own bot DMs the login code
    • Telegram — your own bot sends the login code
  • 🚨 Security alerts — players with Discord/Telegram linked get warned about new-IP logins, brute-force attempts and password changes — even while offline
  • 🙈 Console password shield/login and /register are intercepted so passwords never appear in the console or log files
  • 🧱 Full freeze before login — no moving, chatting, commands, damage, inventory or item pickup; optional blindness and spawn teleport that hides base coordinates from stream snipers
  • 🤖 Anti-bot & brute-force protection — per-player attempt limits, per-IP lockouts, join-flood lockdown, username regex filter, per-IP account limits
  • 🎭 Anti-impersonation — kicks NoTcH if the account was registered as Notch, blocks duplicate names, optional UUID checks
  • 💎 Premium mode/premium lets verified Mojang accounts skip the password (only when the connection can actually be verified — Login+ never pretends)
  • 📧 E-mail recovery — forgot the password? A one-time code is mailed via your own SMTP mailbox. 2FA still applies after recovery
  • 🌍 Country filter — whitelist or blacklist joins by country
  • 🌐 Proxy ready — works behind Velocity, BungeeCord and Waterfall; with shared MySQL, sessions carry across backend servers (no re-login when switching). Login+ checks your forwarding setup on startup and prints hints
  • 🔊 Sound feedback — level-up chime on success, buzzer on wrong password (cross-version safe)
  • 🗄️ SQLite out of the box, MySQL for networks — with automatic scheduled backups
  • 🌏 Fully translatable — clean English and Russian message files included

⚙️ Commands & Permissions

Command Permission Short Description
/register <pass> <pass> loginplus.player.register Create an account
/login <pass> (alias /l) loginplus.player.login Log in
/logout loginplus.player.logout Log out and lock the account
/changepassword <old> <new> loginplus.player.changepassword Change password
/unregister <pass> loginplus.player.unregister Delete own account
/2fa setup <totp|discord|telegram> loginplus.player.2fa Enable two-factor auth
/2fa <code> loginplus.player.2fa Enter the code during login
/email set <address> loginplus.player.email Bind a recovery e-mail
/email recovery loginplus.player.email Recover a forgotten password
/premium / /freemium loginplus.player.premium Toggle Mojang auto-login
/loginplus <reload|forcelogin|unregister|info> loginplus.admin Admin commands

All player permissions default to true; admin commands default to OP.


🚀 Quick Start

  1. Drop the jar into /plugins and restart the server.
  2. Players run /register <password> <password>, then /login <password> next time.
  3. (Optional) Enable free 2FA, e-mail recovery and more in config.yml — every option is documented right in the file.

Setting up the 2FA bots (both 100% free)

  • Telegram: message @BotFather/newbot → copy the token into config.yml. Players run /2fa setup telegram.
  • Discord: discord.com/developers/applicationsNew ApplicationBot → copy the token into config.yml. Players run /2fa setup discord <their user ID>.
  • Google Authenticator: nothing to set up — players just run /2fa setup totp and scan the QR map. Works offline.

🌐 Running behind Velocity / BungeeCord / Waterfall

Login+ runs on your backend (Spigot/Paper) servers and fully supports proxy networks:

  1. Enable IP forwarding on both sides (proxy and backend).
  2. For multi-server networks set storage.type: MYSQL and point every backend at the same database — players switching servers stay logged in seamlessly.
  3. Firewall the backend ports so players can only connect through the proxy.

Login+ verifies the forwarding configuration on startup and prints console hints if something looks wrong.


💡 Some Advice

  • Login+ is built for offline-mode servers — for example, the backend servers behind a Velocity, BungeeCord or Waterfall proxy, where Minecraft's own account verification is turned off and a login plugin is what keeps every account secure. Pure online-mode (premium) servers are already verified by Mojang, so they don't need a login plugin.
  • Avoid /reload; restart the server instead.
  • Honest security note: /premium only activates when Mojang really verified the connection (online-mode server or online-mode proxy with modern forwarding). On a plain offline-mode server there is nothing to verify, so it politely refuses instead of pretending to be secure.

Ченджлог

1.0.0Релиз26.1, 26.1.1, 26.1.2 · 10 июня 2026 г.

Комментарии

Загружаем…