Editing Security
From AAGRINDER wiki
Jump to navigationJump to searchWarning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
+ | This page describes the current status of security and privacy in AAGRINDER. | ||
− | + | == Security == | |
− | + | === Authentication === | |
− | == Authentication == | + | In AAGRINDER, players authenticate with their passwords. |
− | In AAGRINDER, | ||
The password is chosen when the account is created and needs to be at least 1 character long. | The password is chosen when the account is created and needs to be at least 1 character long. | ||
The password may contain any characters. | The password may contain any characters. | ||
Line 10: | Line 10: | ||
this transmission will be encrypted. | this transmission will be encrypted. | ||
− | On the server, the password is hashed and salted using [https://www.npmjs.com/package/bcryptjs bcryptjs] and then saved in a | + | On the server, the password is hashed and salted using [https://www.npmjs.com/package/bcryptjs bcryptjs] and then saved in a [[wikipedia:MySQL|MySQL]] database. The relevant part of the code can be found [https://gitlab.com/MRAAGH/aagrinder/blob/master/server/User.js#L120 here]. The plaintext password does not persist in memory on neither the client or the server. |
− | |||
− | |||
− | + | There is currently no functionality for changing an account's password. If you want your password changed, you should contact the server administrator to reset your account (progress in the game will not be lost). | |
− | |||
− | + | There is an alternative mode called [[insecure mode|Running in insecure mode]] which can be enabled by toggling a server setting. We call it "insecure" to decrease the confusion between the similar words "authentication" and "authorization". If enabled, passwords will be completely ignored at login, and the client will not prompt the user for password. | |
− | + | === Authorization === |