DG Login | Modern Authentication Plugin v1.2.1

v1.2.1 - LuckPerms friendly.​

• Fires AsyncPlayerPreLoginEvent during premium auth so LuckPerms / DiscordSRV / ban plugins load data correctly
• 🪪 Auto-migrates LuckPerms data when an account upgrades to premium UUID (no more "different UUID" warnings)
• 🛡 Keeps all ranks, groups, and permissions seamlessly across the offline → premium switch

Drop-in update. No config changes.

v1.2.0 - Premium done right.​

• Real Mojang handshake - any launcher with a paid account works
• ⚠ Confirmation menu before enabling Premium (no more lockouts)
• 🛡 Patched a critical account takeover vulnerability
• Auto-migration of offline accounts to premium UUIDs

Requires: ProtocolLib. Drop-in update.

v1.1.2 - Lobby Compatibility & GUI Hardening​

• Lobby compatibility: DGlogin no longer touches player inventories. Lobby/hub/kit plugins now work properly alongside it.
• GUI hardening: Added defensive protection against other plugins that might interfere with the settings GUI.

v1.1.1 - Critical Security Fix
​

---

🛡 Patched: GUI Item Theft

A vulnerability was discovered where authenticated players could remove decorative items from the settings GUI (/dgl) and place them into their own inventory using shift-click, drag, hotbar swap, or other inventory manipulation actions.

The previous code only blocked inventory interactions for unauthenticated players. Since the settings GUI is opened by authenticated players, the protection was incomplete.

All inventory manipulation in plugin GUIs is now blocked - clicks, drags, shift-clicks, hotbar swaps, double-click collection, and drop actions. The fix applies to the settings GUI, login history GUI, and captcha GUI.

---

Update Recommended

All server owners using v1.1.0 should update to v1.1.1. No config or database changes - drop-in replacement.

---

Thanks to the player who reported this issue.​

v1.1.0 - The Big Feature Update

7 new features. Multiple fixes. One massive update.
​

---

New Features​

---

Two-Factor Authentication (TOTP)

DGlogin now supports industry-standard TOTP 2FA - compatible with Google Authenticator, Authy, Microsoft Authenticator, and any RFC 6238 compliant app.

• Toggle 2FA on/off from the in-game settings GUI
• Setup gives you a Base32 secret key + clickable QR code link
• Click the link to open the QR code in your browser, or click to copy the otpauth:// URL
• On login: enter password, then a 6-digit code from your app
• 30-second time window with ±1 step tolerance for clock drift
• Premium auto-login bypasses 2FA (verified by Mojang anyway)

RFC 6238 compliant. No external dependencies. Runs entirely server-side.

---

Login History GUI

A new button in the settings GUI lets players review their last 10 login events. Each entry shows the type (login, premium login, session, failed, register), timestamp, and masked IP. Color-coded by event type for instant readability.

---

⏱ AFK Auto-Kick

Optional feature that kicks unauthenticated players who haven't moved or clicked for X seconds. Independent of login-timeout - useful for high-traffic servers wanting to free up slots from inactive connections. Disabled by default.

---

Whitelist Mode

Restrict who can register new accounts on your server. Existing players are unaffected.

Code:

/dglogin whitelist on              - Enable whitelist mode
/dglogin whitelist off             - Disable whitelist mode
/dglogin whitelist add <player>    - Add a player
/dglogin whitelist remove <player> - Remove a player
/dglogin whitelist list            - View all whitelisted players

---

Welcome Messages

Configurable multi-line welcome messages shown after successful login. Supports {player} and {logins} placeholders. Fully customizable in config.yml.

---

PlaceholderAPI Integration

Soft-dependency on PlaceholderAPI. When installed, exposes 10 placeholders:

Code:

%dglogin_registered%        - yes/no
%dglogin_authenticated%     - yes/no
%dglogin_logins%            - total login count
%dglogin_last_login%        - last login timestamp
%dglogin_registered_date%   - registration date
%dglogin_ip%                - last IP address
%dglogin_premium%           - yes/no
%dglogin_premium_autologin% - yes/no
%dglogin_session_enabled%   - yes/no
%dglogin_2fa_enabled%       - yes/no

Use these in scoreboards, tab lists, holograms, NPCs, anywhere.

---

Update Checker

Automatically checks SpigotMC for newer versions on startup. Logs notification to console if an update is available. Configurable resource ID; can be disabled in config.

---

Fixes & Improvements​

• Premium verifier now caches results for 30 seconds - no more hammering Mojang on rapid reconnects
• Duplicate name check uses getPlayerExact now (O(1) instead of O) - better performance on large servers
• Cooldown map now self-cleans every 5 minutes - no more memory leak over time
• Log filter properly disabled on plugin reload - clean lifecycle
• Fixed unsafe Player cast in placeholder system
• 2FA QR code link is now properly clickable (no more URL truncation in chat)

---

Full Changelog​

Code:

+ Two-factor authentication (TOTP) with Google Authenticator support
+ Login history viewer in settings GUI (last 10 events)
+ AFK auto-kick for unauthenticated players
+ Whitelist mode with admin commands
+ Configurable welcome messages with placeholders
+ PlaceholderAPI integration (10 placeholders)
+ Automatic update checker via SpigotMC API
* Premium verification cached for 30 seconds
* Performance: O(1) duplicate name lookup
* Memory: cooldown map self-cleanup
* Memory: log filter properly handled on disable
* Fixed unsafe Player cast in placeholder system
* Fixed clickable QR code link in 2FA setup

---

Migration

Database auto-migrates from v1.0.x. Just drop the new JAR in. The config.yml has new sections - either delete the old config to let it regenerate, or copy the new sections from the example.

---

Supported versions: 1.20.x, 1.21.x, 26.1.x
Soft-dependencies: PlaceholderAPI (optional)
​

v1.0.3 - MC 26.1 Support + Security Hardening

Now supporting 1.20.x, 1.21.x, and 26.1.x
​

---

What's New​

---

Minecraft 26.1.x Support

DGlogin now officially supports the latest Minecraft release - 26.1 Tiny Takeover. The plugin works across three major version ranges with a single JAR:

• 1.20.x - 1.20, 1.20.1, 1.20.2, 1.20.4, 1.20.6
• 1.21.x - 1.21 through 1.21.11
• 26.1.x - 26.1, 26.1.1, 26.1.2+

Compiled with Java 21, fully compatible with Java 25 (required by MC 26.1). No separate builds needed.

---

Password Console Censoring

Spigot logs every player command to the server console - including passwords in plaintext. If someone types /login mypassword, anyone with console access could see it:

Code:

BEFORE:  [INFO] Player issued server command: /login mypassword
AFTER:   [INFO] Player issued server command: /login ****

DGlogin now intercepts all password commands and replaces the arguments with **** before they reach the log. This applies to:

• /login, /l
• /register, /reg
• /changepassword, /changepw, /cpw
• /unregister, /unreg

Your players' passwords never appear in console, log files, or any monitoring tool.

---

Tab-Completion Blocked

All commands that accept passwords no longer show tab-completion suggestions. Previously, the tab system could leak partial input or suggest player names as password arguments. Now these commands return an empty suggestion list - nothing to leak.

---

Full Changelog​

Code:

+ Added official MC 26.1.x support (Tiny Takeover)
+ Passwords censored from server console logs (replaced with ****)
+ Tab-completion disabled on all password commands
* Compiled with Java 21, compatible with Java 25
* No config changes required - drop-in replacement for v1.0.2

---

Supported Versions

Code:

1.20 - 1.20.6
1.21 - 1.21.11
26.1 - 26.1.2+

No config changes needed. Just replace the old JAR and restart.
​

Major update with a completely rebuilt captcha system, broader version support, and multiple fixes.


New Multi-Step Code Captcha The old "find the green dye" system has been replaced with a much more robust 3-digit code captcha:

• A random 3-digit code is displayed in the GUI title (e.g. "Captcha » 4 - 7 - 2")
• 9 colored number items (1-9) are scattered among filler glass panes in a 54-slot GUI
• Each number item has a stack size matching its digit (so digit 7 shows as a stack of 7) for quick visual identification
• Player must click the 3 correct numbers in the correct order
• After each correct click, all positions reshuffle and the title updates (completed digits turn green, current digit is yellow)
• Clicking a wrong number resets everything with a completely new code
• 5 failed resets = kick
• GUI cannot be closed - it reopens immediately if the player tries

The previous captcha could be bypassed with a simple Forge mod scanning the inventory for GREEN_DYE. The new system requires reading the GUI title, correlating it with scattered inventory items, and executing 3 sequential clicks with positions changing between each one.


1.20.x Support

• Now supports all versions from 1.20.x to 1.21.x

Reduced JAR size from ~12MB to under 200KB by removing the bundled SQLite driver (Spigot/Paper/Purpur already include it). No functionality changes - everything works exactly the same, just a much lighter plugin.


Changes:

• Removed bundled sqlite-jdbc (~11MB of native binaries) - uses the server's built-in driver instead
• Removed stale temp-ban config options and messages
• Removed unused imports
• Fixed PlayerInteractEvent not blocking all interaction types for unauthenticated players
• Made database connection handler thread-safe
• GUI now respects config size with a minimum of 45 slots

Fully compatible with Spigot, Paper, Purpur, Pufferfish, and all major forks.