Editing Security
From AAGRINDER wiki
Jump to navigationJump to searchWarning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | |||
This page describes the current status of security in AAGRINDER. | This page describes the current status of security in AAGRINDER. | ||
Line 10: | Line 9: | ||
this transmission will be encrypted. | this transmission will be encrypted. | ||
− | On the server, the password is hashed and salted using [https://www.npmjs.com/package/bcryptjs bcryptjs] and then saved in a | + | On the server, the password is hashed and salted using [https://www.npmjs.com/package/bcryptjs bcryptjs] and then saved in a [[wikipedia:MySQL|MySQL]] database. The relevant part of the code can be found [https://gitlab.com/MRAAGH/aagrinder/blob/master/server/User.js#L120 here]. The plaintext password does not persist in memory on neither the client or the server. |
− | + | There is currently no functionality for changing an account's password. If you want your password changed, you should contact the server administrator to reset your account (progress in the game will not be lost). | |
+ | |||
+ | There is an alternative mode called [[insecure mode|Running in insecure mode]] which can be enabled by toggling a server setting. We call it "insecure" to decrease the confusion between the similar words "authentication" and "authorization". If enabled, passwords will be completely ignored at login, and the client will not prompt the user for password. | ||
== Authorization == | == Authorization == | ||
Line 19: | Line 20: | ||
Among the in-game commands that get executed on the server, some are in the group of ''admin commands'', which prevents users from accessing these commands unless they have the ''admin'' role. The names of users with the admin role are specified in the file ''admins.txt'' in the server directory. This file needs to be edited manually. | Among the in-game commands that get executed on the server, some are in the group of ''admin commands'', which prevents users from accessing these commands unless they have the ''admin'' role. The names of users with the admin role are specified in the file ''admins.txt'' in the server directory. This file needs to be edited manually. | ||
− | + | An additional privilege may be granted to users which allows them to run the /sudo command. To do this, the server setting ''allow_sudo'' needs to be set to ''true'' and the name of the user needs to be specified in the file ''sudo.txt'' in the server directory. This file needs to be edited manually. | |
+ | |||
+ | It is possible to turn off authorization for admin commands, by changing the server setting ''authorization'' to ''false''. Then, all players are allowed to run admin commands, regardless of the content of ''admins.txt''. However, access to the /sudo command remains restricted. |