Delay Floodgate name checks on BungeeCord

[Smart123s]

Summary of your change

The FloodgateApi returns null at PreLoginEvent so all Floodgate related checks have to be done at LoginEvent.

Related issue

Fixes #603
Fixes #616

Why Draft?

• No one else has reported the issue, so there's no way to verify if it also affects other users.
• This is a fast workaround, so code quality is not the best. Please notify me about the necessary changes.
  I especially don't like how I had to create a new class for BungeeFloodgateLoginSource, which is only used by
  https://github.com/games647/FastLogin/blob/a46a5fb6116e3798689af53ae2ca75af7b1719ae/bungee/src/main/java/com/github/games647/fastlogin/bungee/listener/ConnectListener.java#L159-L160
• Because of
  https://github.com/games647/FastLogin/blob/a46a5fb6116e3798689af53ae2ca75af7b1719ae/bungee/src/main/java/com/github/games647/fastlogin/bungee/listener/ConnectListener.java#L132
• The skipped Floodgate checking code is still in core, it's just made unreachable via a return statement.
  It was easier to make it stay there for now, because on Bukkit, there are two Protocol plugins, and both of them have to run the Floodgate checks.

[EnriqueGF]

Summary of your change

The FloodgateApi returns null at PreLoginEvent so all Floodgate related checks have to be done at LoginEvent.

Related issue

Fixes #603

Why Draft?

• No one else has reported the issue, so there's no way to verify if it also affects other users.
• This is a fast workaround, so code quality is not the best. Please notify me about the necessary changes.
  I especially don't like how I had to create a new class for BungeeFloodgateLoginSource, which is only used by
  https://github.com/games647/FastLogin/blob/a46a5fb6116e3798689af53ae2ca75af7b1719ae/bungee/src/main/java/com/github/games647/fastlogin/bungee/listener/ConnectListener.java#L159-L160
• Because of
  https://github.com/games647/FastLogin/blob/a46a5fb6116e3798689af53ae2ca75af7b1719ae/bungee/src/main/java/com/github/games647/fastlogin/bungee/listener/ConnectListener.java#L132
• The skipped Floodgate checking code is still in core, it's just made unreachable via a return statement.
  It was easier to make it stay there for now, because on Bukkit, there are two Protocol plugins, and both of them have to run the Floodgate checks.

Hello,

I'm experiencing the same issue, in my case a Floodgate player is never auto logged.

I tried several times implementing your changes, but is still not working for me.

I also tried to git clone your git repository with the fix branch of this but it takes no effect for me ingame.

Could you add me to Discord? EnriqueGF#0977

Thank's you for all.

[Smart123s]

Ok, I've added you.

[EnriqueGF]

Ok I talked with @Smart123s about this.

I tried the changes but it doesn't work only if name checking is enabled.

The console throws something like "User connected through Floodgate, name conflicts will be checked later" but this never happens and the user is not logged in.

With name checking disabled, all is fine.

[Smart123s]

I have come up with some ideas today on how to resolve the unticked points in the original PR message. I'll hove some tests this week, but I'll have free time after them, so I'm planning to get to coding on the weekend, and get something done by at least early next week.

The changes / the new stuff

• Because the Floodgate API is proven to be unstable at low level checks (insert bug reports here), the Geyser API will be used to perform all checks done at JoinManagement. To prevent unauthorized access to the server, further checks will have to be done, to verify, if Geyser is actually using Floodgate to authenticate it's users. Geyser has three modes of authentication:

  • Online: They are authenticated through Mojang's servers, so they should be treated as a Premium Java players. If I remember correctly, Floodgate prefixes are only available for Floodgate, so they naturally won't have to be checked here.
  • Floodgate: Geyser will kick players, if they fail Floodgate authentication, so we won't have to worry about that. Name conflict checks should be preformed. Details on that later. The current implementation assumes that Floodgate is used, and not the other two types of auth methods.
  • Offline: Geyser players should be treated as cracked players.

  Additionally, Geyser players are still unable to reply to Encryption Packets (Premium Java Authentication requested by FastLogin), regardless of the authentication method used by Geyser. Actually, they can, and they should.

• Because Floodgate prefixes are inconsistent, especially at low level checks (because Floodgate inserts the prefixes on the same level as JoinManagement operates, their code might run before or after ours). Because no kind of unique identifier is available at that point of the authentication process, we must resort to identifying players by name. To circumvent the inconsistency of prefixes, all name checks at JoinManagement will be done without prefixes. This might bring up some problems, if there's already a prefixed (Floodgate) player online, and a Java player is connecting (and in some other cases, I'll think through that when I'll have more time), so some further checks will have to be done, to verify that the currently connecting player is not misidentified as another player with the same name. To achieve this:

• I'm hoping Bukkit.getOnlinePlayers() and it's bungee equivalent doesn't contain players at that early stage of the login procedure. This could be used, to detect if there's name conflict between a Java player, and a player with the prefix temporarily removed.

• Create a list of players that have started the authentication process via FastLogin (at JoinManagement), but have not been added to Bukkit.getOnlinePlayers() yet. If the list has the same names twice, kick both of them. This will prevent attacks, that would try to abuse connecting from Java and Bedrock at the same time.

I have decided to re-write this PR, because of

• It'll be easier to thank hacking the pending commits into the changes of a3bf875 (which is awesome btw 🚀)
• The list of the changes above is quite long, and this PR was written without those in mind

Notes

I've just written up my thoughts here as quick as I could, and as a result, I couldn't write any code samples on what I'm talking about. Some of them may not be 100% correct, or might miss out important details that could cause problems.

EDIT: If auth-type is not floodgate in Geyers's config, then the players can replay to Encryption Packets.