Skip to content

feat(premium): cryptographic session verification for premium bypass#3019

Draft
Xephi wants to merge 1 commit intomasterfrom
feat/premium
Draft

feat(premium): cryptographic session verification for premium bypass#3019
Xephi wants to merge 1 commit intomasterfrom
feat/premium

Conversation

@Xephi
Copy link
Copy Markdown
Contributor

@Xephi Xephi commented May 2, 2026
edited
Loading

Requirements

  • PacketEvents must be installed on the server, unless you
    are using proxy mode (see "Behind a proxy" on docs/premium.md).

How it works

When a premium-enrolled player connects, AuthMe intercepts the Minecraft login handshake at
the packet level:

Client                         Server (AuthMe + PacketEvents)        Mojang
  |                                  |                                 |
  |--LOGIN_START(name)-------------->|                                 |
  |                                  | ① DB: isPremium → true (async)  |
  |<--ENCRYPTION_REQUEST-------------|                                 |
  |  (RSA-1024 public key +          |                                 |
  |   random verify token)           |                                 |
  |  POST /session/minecraft/join ---------------------------------->  |
  |--ENCRYPTION_RESPONSE------------>|                                 |
  |  (enc(sharedSecret) +            |                                 |
  |   enc(verifyToken), RSA)         |                                 |
  |                                  | ② RSA-decrypt sharedSecret      |
  |                                  |   (sync, on event-loop)         |
  |                                  | ③ Install AES/CFB8 Netty ciphers|
  |                                  |   (sync — client already sends  |
  |                                  |    encrypted bytes from here)   |
  |                                  | ④ Verify token + GET /hasJoined |
  |                                  |   (async) --------------------->|
  |                                  |<--- {uuid, name, properties} ---|
  |                                  | ⑤ Store verified UUID (60 s TTL)|
  |                                  | ⑥ Re-inject LOGIN_START         |
  |     ... player joins PLAY ...    |                                 |
  |                                  |                                 |
  AsynchronousJoin: getVerifiedUuid(name) == auth.getPremiumUuid() → auto-login

@Xephi Xephi mentioned this pull request May 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Xephi