ReAuth

ReAuth

74M Downloads

Won't allow re-login suddenly due to update???

Gunner76th opened this issue ยท 6 comments

commented

2017-02-04_17 13 55
So I went to do a re-log on my client, and was met with this little message. Why do you have this mod set to force an update on the mod by disabling the ability to use it? This is the first mod I have ever seen to ever do this. IMO this is rather intrusive. At least provide a method of allowing the users the option to ignore the update alert and still use the mod. I am a server administrator, and I do not always have the time to update all the mods the instant that a new version is released. Now, because of this update, my users are unable to make use of this mod until I can push an update to the modpack.

Can you please remove this "feature" or provide a method of allowing users to acknowledge the update alert, but still be able to login???

commented

Also, what was the critical update details that is forcing this update? I looked at the change logs on curse for the last 2-3 updates, and nothing listed would be considered as critical.

commented

This screen tells me you are still on version 3.0 (if not something is broken ....) which means i has been displaying a green "Update Avaliable" message for more than 6 months ...

commented

Are you saying that the code that causes the mod to stop working when you publish an update you mark as "critical" no longer stops the mod from working? This version has been working perfectly fine up until a couple of days ago when I suddenly had users saying there were no longer able to renew their session with the button.

And as to the second part of the question posted above, what has changed since January 1 that was so critical that it is causing an older version of the mod to stop working? My understanding is that if something is fixed in a critical update, that change ought to be listed in the change log, and should be something that addressed an issue of security or stability. Seeing as neither the update for 3.4 or 3.4.1 list either of these, I am still curious as to what changes were made to the mod that caused you to send a signal to older versions indicating that they should no longer allow usage, and why this is being done.

From a user's standpoint, if you are able to send a signal to the mod that is accepting user's username and password to log into a service, that is able to shut down that mod to prevent its usage for some reason, what is to prevent you from also receiving information from that mod about the user's personal information? Yes I understand that you state that you have the source code available for review here on github, as well as supply a link to a decompiler as well, however the fact remains that you are doing something that can be seen as a possibility to steal user's information. As stated previously, this is the first mod I have ever seen since I started Minecraft in 1.5.2 that has ever allowed the mod author to send a signal that causes the mod to stop functioning when an update (critical or otherwise) was issued. ALL other mods do nothing more than, at most, display a chat message upon starting a world or connecting to a server that updates are available.

commented

The Problems with old versions are as follows:

  1. The jar-files are signed, where the signature expires after a certain period of time; after that period the validity of the signature can no longer be verified to the full extent
  2. I do not put smaller security changes onto curse (those who would understand them, will look at github most of the times)
  3. Something you use to login should be kept uptodate ...

Btw: why do your users need to wait for you to push an update?

commented

The disabling is part of the versionchecker which is controlled of this: https://github.com/TechnicianLP/ReAuth/blob/master/version file (the first version being the most recent version, the second one being the "allowed versionrange"). This was originally implemented to shut the mod down if i find a securityhole in it, to prevent damage to users.

commented

In general, users do not always know where their packs are installed or even how to manually update the mods within it. Also, depending on the mod in question, you can't just update the mod on the client and not on the server. Now while I do understand that this mod is a client only mod, if the user was to attempt to update this mod manually, and then either delete the wrong file, or not delete the old file at all, they would then be confused and asking for help about why their client is crashing.

In general, it is best to tell users of a modpack to never manually update any mod that they personally did not add to the pack so as to prevent further potential issues. Often times users do not take the time to read up on how to do things, case in point, on our profile page we explicitly state to visit the help page to address the 3 reasons that a pack might fail to load or crash. We give specific instructions on how to resolve each of those issues, the exact same instructions we give individuals if they come to us on Discord. At least 1-2 times a day I get a user log into our Discord (which they could only have done by visiting the web page for the pack) and asking for help that is already addressed on the web page. http://www.technicpack.net/modpack/sky-factory-3-custom.945414

If users are unable to do something as simple as read a big bolded first line for a pack, how can they be expected to do something like manually update mods in their own pack?

Thank you for the clarification about the "shutdown" part, and clarification as to how it actually functions as well as its purpose. This just struck me as concerning due to the fact I have never known a mod to do it, and this is a mod that as you say, uses your login details.