AuthMe Reloaded

AuthMe Reloaded

3M Downloads

Account registered per IP can be bypassed

joagar21 opened this issue · 7 comments

commented

Before reporting an issue make sure you are running the latest build of the plugin and checked for duplicate issues!

What behaviour is observed:

What happened?
Account registered per IP can be bypassed

What behaviour is expected:

What did you expect?
only 1 account should be registered per IP
account limit per IP is set to 1 in the config

Steps/models to reproduce:

The actions that cause the issue
register a crack account first then use a premium account or
the other way around

Plugin list:

This can be found by running /pl

Environment description

Standalone server/Bungeecord network, SQLite/MySql, ...
bungeecord network and mysql

AuthMe build number:

This can be found by running /authme version
AuthMeReloaded v5.6.0-SNAPSHOT (build: 2337) in the hub server
AuthMeBungee-2.2.0-SNAPSHOT in the bungeecord network

Error Log:

Pastebin/Hastebin/Gist link of the error log or stacktrace (if any)
No errors

Configuration:

Pastebin/Hastebin/Gist link of your config.yml file (remember to delete any sensitive data)

commented

Both of theyre registration IP is NOT 127.0.0.1 in the database, but theyre IP is the same
nupe, tbh they don't have any authme permission and none of my players has any authme perm
I don't use any other login plugin

commented

If the registration IP is 127.0.0.1 in the database the check won't be performed (you can view player data with /authme debug), or if you register an account with a user that has many permissions it might be that the permission node to turn off this check was unintentionally also given to the user. https://github.com/AuthMe/AuthMeReloaded/blob/master/docs/permission_nodes.md

Failing that, is it important that one is cracked and one isn't? Because if so I'm wondering if you're using FastLogin or something?

commented

Might be that you configured the check to be skipped or something. You didn‘t provide your config so it‘s a shot in the dark

commented

its working fine with the others it blocked them from registering so its working fine..
heres the config https://pastebin.com/8FXazrLU

commented

I don't understand, if it's working fine for everyone else can't it be that temporarily there was some config issue / that user had the permission node / it was a weird migration of a database / there was admin intervention in registering the second account?

commented

well idk but u can try those steps to bypass and see it for yourself

commented

wdym cant reproduce its really working it can be bypass