This update adds built-in fake limbo support and improves Bungee-side premium/cracked account handling.
Added
- Built-in fake limbo mode for Bungee-only authentication
- AuthMePlus can now start an internal NanoLimbo-based fake limbo server inside the proxy
- No separate Paper/Spigot auth server is required when using built-in limbo mode
- Bungee-side /premium command
- Bungee-side /cracked command
- Automatic premium login on proxy join
- New premium.auto-login message
Built-In Limbo
- Unauthenticated players can now be sent to an internal fake limbo server
- Built-in limbo is dynamically registered in the Bungee server list
- Players stay in limbo until they login or register
- After successful login, players are sent to their last server or fallback server
- Normal auth-server mode is still fully supported
Limbo Configuration
limbo:
mode: "BUILTIN"
builtin:
server-name: "auth1"
bind-host: "127.0.0.1"
bind-port: 25570
max-players: 500
info-forwarding: "LEGACY"
Use SERVER mode to keep the classic external auth server setup:
limbo:
mode: "SERVER"
Premium Auto Login
- Players marked as premium are now automatically authenticated when they join
- AuthMePlus creates a Bungee session automatically for premium accounts
- Premium players are sent directly to their last server or fallback server
- If premium-resolver.yml is enabled, AuthMePlus checks the player name with the Mojang API before auto-login
- If the name is detected as cracked, the player must login normally
- If the resolver denies the request, the player is disconnected with the resolver reason
New Message
premium:
auto-login: "&aPremium account detected. You were logged in automatically."
Changed
- Improved unauthenticated player routing
- Players can no longer switch to lobby/game servers before logging in
- /logout now sends the player back to the auth/limbo server
- network.yml auth server handling now supports built-in limbo targets
- Proxy auth-state forwarding now works after premium auto-login
- Existing backend auth server setups continue to work
- Added new proxy-side operation modes: BUNGEE_ONLY, HYBRID_PROXY, and ROUTING_ONLY.
- Added true Bungee-only authentication support with /login, /register, /logout, sessions, command/chat blocking, and auth-server routing.
- Fixed Minecraft 1.8.8 plugin messaging compatibility by replacing long channel names with a short legacy-safe channel.
- Improved Java 21 compatibility while keeping Java 8 bytecode target.
- Bundled required SQLite, MySQL, and BCrypt runtime libraries into the plugin JAR.
- Fixed SQLite startup/database initialization issues.
- Fixed backend/proxy config naming inconsistencies.
- Improved Bungee-side config loading without depending on Bukkit classes.
- Added configurable proxy auth behavior through bungee-config.yml.
Note: Bungee-only mode does not include Bukkit-only visual features such as particles, sounds, potion effects, or backend movement blocking. Those remain available in hybrid/backend installs.
AuthmePlus — v1.0.0-STABLE
Release Date: April 4, 2025
Compatibility: 1.8.x – 1.21.x
Requires: Java 11+, Spigot/Paper, BungeeCord/Waterfall
⚠ Important
You must change the shared-secret in backendguard.yml before production use.
The default value is publicly known and insecure.
Security Updates
✔ Session system fully secured
- Sessions now use UUID instead of player name
- Prevents account/session hijacking on cracked servers
- Thread-safe storage using ConcurrentHashMap
✔ Proxy token system fixed
- Secret is now properly loaded from config
- Removed hardcoded fallback
- Warning shown if default secret is used
✔ BackendGuard stability fix
- Removed runtime mutation of requireProxyToken
- Eliminates race condition that could disable protection
✔ Brute-force protection improved
- Attempts now tracked per UUID
- Thread-safe handling with synchronized access
Bug Fixes
✔ Async thread safety issues resolved
- Replaced unsafe HashMap usage
- Now uses ConcurrentHashMap + atomic counters
✔ Memory leak fixed (BungeeCord)
- lastServer map cleaned on disconnect
✔ Cross-platform compatibility fix
- Removed Bukkit-only classes from shared modules
- Prevents NoClassDefFoundError on proxy
✔ Listener registration fixed
- Missing listeners now properly registered:
- BungeeNetworkListener
- LoginCompleteListener
New Features
✔ Automatic server reconnect after login
- Players return to their last server after /login
- Falls back to configured server if unavailable
- Controlled via network.yml
✔ LoginCompleteListener (Proxy-side)
- Handles secure login completion messaging
- Validates backend origin
- Routes players automatically
⚙ Improvements
- Detailed documentation added to network.yml
- Startup warning if default secret is used
- Plugin messaging channel (authmeplus:logincomplete) fully registered on both sides
Summary
This release focuses on:
- Critical security fixes
- Thread safety improvements
- Proper BungeeCord integration
- Seamless post-login experience
Fixed background and more stability with bungeecord!
Temporarily disabled due to license key server updates and database updates.
