Just found the plugin, my team and I are extremely excited about it and I'm moving quickly to set it up and release it to the community.

I would like to completely move from Dynmap to BlueMap, but I need to hide some staff worlds from normal players. Similar to Dynmap, it would be great if admins could control access to maps with ingame permissions. So for example:

• Player requests to register with ingame command
• A registration link with a unique key is displayed to the player
• Player completes registration on website, and using the unique key, the plugin ties the player's uuid to the account
• When the player logs in to BlueMap, the plugin would check ingame permissions for which maps the player has access to (i.e. bluemap.map.)
  • Permission only required if protected option is set to true in map config
• Player can request a password change link from ingame (cause I know my staff will lock themselves out within a couple days)

Thank you for considering this request and for making this amazing plugin!

I understand, just two follow up questions:

• Can you think of any alternative short term solutions to hide my staff worlds? A separate instance maybe? I can't symlink active worlds into another server, so if BlueMap requires the map to be loaded on the server, I'd have to periodically copy and re-render, right? At which point I'd just stick with dynmap for the staff worlds. If you have any other ideas I'd appreciate it.
• Could the webserver be written in Java (i.e. Spring) instead of PHP?

• An alternative solution i would think of is rendering the admin-worlds (and possibly updating using a cronjob) with the CLI version of bluemap into another web-root/subfolder and hosting and protecting that with nginx/apache. However you'd not have live player-markers on those staff worlds then..
• The current built-in webserver is written in Java and I'd personally like to do that exclusively, but there are a lot of people that want to host their maps on nginx / apache without proxying the java webserver.. I am still thinking about a good solution for this, also because i need to consider how to add better support for bungee-servers..

So, i have two arguments against implementing this:

1. BlueMap's web-client is currently based on pure html/js, no php-scripts are needed. This is beneficial because this makes BlueMap's web-client really easy to use and i don't have to write php-scripts to support external webservers and i don't have to have a lot of extra-logic for the internal-webserver.
   This might change in the future due to the popular request of adding sql-support but i still want to avoid this as much as possible.
2. Adding a registration and protection is an advanced feature for more professional servers that also is security-relevant.
   This means it needs a LOT of maintenance and testing. It also introduces a ton of new possibilities for additional features, bugs and suggestions. I already have a huge TODO-list so i have to draw a line somewhere:

I want to have BlueMap as an easy to use plugin for smaller servers with some configurability but a more or less fixed feature-set. And for bigger servers, i want BlueMap to be less like an alround-solution and more like a library that their developers can extend on.

I am currently rewriting the web-app and try to make it as library-like as I can, so developers can extend it in any way they want and make it perfect for their servers. I also want to extend BlueMap's API for stuff like that. This means if you want a registration for the map, your developers will (hopefully) eventually be able to make a plugin for the registration-commands / permissions, and extend the web-app for the login and showing the correct maps.

Got it all working and protected with nginx basic auth, discarded the iframe idea. Thank you very much!

Oh I missed the CLI version, very cool. Can the CLI webserver use the live world folder, or would I have to have a cronjob to update a copy? Also, would iframing the CLI webserver into my staff portal work?

This sounds like a great solution, thank you!

The CLI works perfectly fine on the live world-folder :)
I am sure iframing works generally, but you need to see how you implement the protection .. since you can always open an iframe directly as well if you know the url ^^