Skip to content

Configuration

Ded3ec edited this page Feb 8, 2026 · 4 revisions

๐Ÿ›ก๏ธ AuthCore Configuration Guide

Welcome to the AuthCore configuration bible! This file controls the brains, brawn, and paranoia levels of your server's login system.

Whether you want a casual SMP where friends can join easily, or a digital fortress that requires a retinal scan (metaphorically speaking), this is where you make it happen.

โš ๏ธ Note: This configuration file usually generates as config/authcore/settings.conf or similar in your config folder. Always restart your server OR (/authcore reload) after making changes!


๐Ÿ“‹ Table of Contents

  1. General & Debugging
  2. Session Settings
  3. Password Security Policy
  4. Database Connection
  5. Lobby & Limbo Restrictions
  6. Command Permissions

๐Ÿž General & Debugging

Basic housekeeping settings.

Config Option Short Name Description & Humor Default Recommendation
version The "Do Not Touch" Internal versioning for migrations. Scenario: You change this manually. Result: The plugin breaks, and the developer cries. "1.0.0" Do NOT edit.
debug-mode Spam Console Enables verbose logging. Great for fixing bugs, terrible for reading your console.
Scenario: Players can't login and you don't know why -> Set to true.
false false (unless troubleshooting)

โฑ๏ธ Session Settings

This section controls the flow of logging in, staying logged in, and getting kicked out.

Authentication Security

Found under session.authentication.

๐Ÿ” Login & Registration Logic

  • max-login-attempts
    • Short Name: Fat Finger Limit
    • Description: How many times a player can fail their password before gettings kicked.
    • Default: 8
    • Scenario: Set to 3 if you want to punish typos severely.
  • allow-bedrock-players
    • Short Name: Geyser Gate
    • Description: Allows Bedrock/Floodgate formatting.
    • Default: false
    • Scenario: Enable this if you use GeyserMC.
  • look-up-by-username
    • Short Name: Unique Names Only
    • Description: If true, allows unique usernames only. If false, supports multiple UUIDs for the same name (weird, but okay).
    • Default: false
  • premium-auto-login
    • Short Name: The VIP Pass
    • Description: Skips auth for legitimate Mojang accounts.
    • Default: true
    • Recommendation: Keep true for Hybrid servers. It saves premium players a headache.
  • premium-auto-register
    • Short Name: Ghost Registration
    • Description: Generates a random password for premium users so they are registered in the backend automatically.
    • Default: true
  • allow-proxy-users
    • Short Name: VPN Blocker
    • Description: Allow connections from known proxies/VPNs.
    • Default: false
    • Scenario: Keep false to stop bot attacks from cheap proxies.
  • offline-mode-by-default
    • Short Name: Guilty Until Proven Innocent
    • Description: Treats unknown usernames as offline-mode players requiring login.
    • Default: false
  • register-password-confirmation
    • Short Name: The Double Typo Check
    • Description: Forces users to type password twice during register.
    • Default: true
  • allow-login-after-registration
    • Short Name: Instant Entry
    • Description: Logs them in immediately after registering.
    • Default: true
  • allow-cracked-premium-names
    • Short Name: Identity Theft
    • Description: Allows offline-mode launchers to use the names of paid accounts.
    • Default: false
    • Recommendation: FALSE. Prevents people from stealing admin usernames.
  • block-duplicate-register / block-duplicate-session
    • Short Name: Clone Wars
    • Description: Prevents the same account from registering/logging in from multiple places at once.
    • Default: true

Session Persistence & Timeouts

Found under session.

  • timeout-ms
    • Short Name: Session Lifespan
    • Description: How long they stay logged in without typing their password again (in ms).
    • Default: 3600000 (1 Hour)
  • cooldown-after-kick-ms
    • Short Name: The Sin Bin
    • Description: How long they must wait to rejoin after failing login too many times.
    • Default: 120000 (2 mins)
  • skip-combat-detection
    • Short Name: Combat Log Pass
    • Description: If true, unauthorized players can disconnect without triggering combat logging plugins.
    • Default: false
  • combat-timeout
    • Short Name: Battle Timer
    • Description: Duration a player is considered "in combat".
    • Default: 3000 (3s)
  • message-reminder-interval-ms
    • Short Name: The Nagging Timer
    • Description: How often the server yells "PLEASE LOG IN" at the player.
    • Default: 8000 (8s)
  • enable-sessions
    • Short Name: Remember Me
    • Description: Persists login across disconnects.
    • Default: true
  • kick-after-session-timeout
    • Short Name: The Boot
    • Description: Kicks the player instantly when their session expires while playing.
    • Default: false
    • Scenario: Set to false unless you enjoy annoying your player base.
  • session-from-same-i-p-only
    • Short Name: IP Lock
    • Description: Sessions are only valid if the IP matches. Prevents session hijacking.
    • Default: true
    • Recommendation: Always True.

๐Ÿ”’ Password Security Policy

Define how annoying (safe) a password must be. Found under password-rules.

Character Requirements

Each rule (upper-case, lower-case, digits) has:

  1. enabled: Turn it on/off.
  2. min: Minimum required.
  3. max: Maximum allowed (to prevent 500-character essays).
Rule Default Min Description
Upper Case 1 Forces at least one CAPITAL letter.
Lower Case 3 Forces at least three tiny letters.
Digits 4 Forces numbers. "Password1234" is unoriginal, but valid.
Length 8 Minimum total characters.

Advanced Password Settings

  • allow-reuse
    • Short Name: History Check
    • Description: Can they use their old password?
    • Default: false (Make them be creative).
  • password-hash-algorithm
    • Short Name: The Math Stuff
    • Description: How we scramble the passwords in the database.
    • Options: argon2, bcrypt, scrypt, pbkdf2, sha-512.
    • Default: argon2
    • Recommendation: Stick to Argon2. It eats GPUs for breakfast. MD5 is effectively illegal in 2026.

๐Ÿ’พ Database Connection

Where the secrets live.

SQLite (Default)

  • sqlite: "authCore-db.sqlite"
  • Short Name: The Easy Way
  • Description: A flat file. No setup needed. Best for small SMPs or lazy admins.

MySQL / MariaDB

Use this if you run a network or have 500+ players.

  • enabled: Set to true to activate.
  • Config: host, port (usually 3306), database, username, password.
  • ssl: false. (Turn on if your DB is on a different continent).

๐Ÿšซ Lobby & Limbo Restrictions

What can unauthenticated players ("The Unclean") actually do? Spoiler: Nothing.

๐ŸŒ€ Limbo & Teleportation

  • limbo-config.enabled: true. Teleports them to a holding cell.
  • limbo-config.location: Coordinates (x, y, z) and dimension (e.g., minecraft:overworld) where they wait.
  • timeout: Dynamic timeout based on ping.
    • Feature: Gives players with bad internet (Lag lords) more time to type their password.
    • Default: 60s base, scales up to 5 minutes for 600ms+ ping.

๐Ÿ›‘ Restrictions (The "No" List)

Found under lobby. Most of these default to false (meaning the action is forbidden).

Feature Default Description
max-lobby-users 50 Caps the amount of un-logged-in players.
safe-operators true CRITICAL. Removes OP status until you login. Prevents hacked clients from nuking the server instantly.
allow-chat false Prevents spam bots.
allow-commands false Prevents /op MeHacker123.
whitelisted-commands [login, register,account] The only commands allowed.
allow-movement false Freezes them in place.
invisible-unauthorized true Ghost Mode. Unauthed players can't see each other.
apply-blindness-effect true Darkness. Makes them focus on the chat to login.
force-adventure-mode true No breaking blocks.

Interaction Flags (All Default false):

  • block-breaking, block-interaction, item-drop, item-pickup, attacking-player, attacking-mobs.
  • Essentially: If it involves clicking a mouse button, it's disabled.

๐Ÿ‘ฎ Command Permissions

Controls who can run what. Supports LuckPerms (Recommended) and Vanilla OP levels.

๐Ÿ‘ค User Commands

Default Level: 0 (Everyone)

Command LuckPerms Node Description
/login authcore.user.login The magic word.
/logout authcore.user.logout Rage quitting safely.
/register authcore.user.load Creating an account.
/unregister authcore.user.unregister Deleting your own account.
/changepassword authcore.user.changepassword "New year, new me, new password."

๐Ÿ› ๏ธ Admin Commands

Default Level: 3 (Admins/OPs)

Command LuckPerms Node Description
reload authcore.admin.reload Refreshes config.
delete player authcore.admin.deleteplayer Yeets a player from the DB.
list players authcore.admin.listPlayers Shows who has joined.
destroy-session authcore.admin.destroyPlayerSession Forces a player to re-login right now.
set-password authcore.admin.setPlayerPassword "I forgot my password admin pls help."
whois authcore.admin.whoisUsername Doxxing... legally. Shows IP/UUID info.
set-offline/online authcore.admin.set... Manually toggles a player's premium status.
set-spawn authcore.admin.setSpawnLocation Sets the limbo jail location.

Wiki generated for AuthCore v1.0.0. If you break your config, don't say we didn't warn you. ๐Ÿคก