Last source audit: 21 June 2026
This document describes what is present in the repository today. It is based on the source code rather than release notes or the intended roadmap. “Partial” means that usable code exists, but the feature is incomplete, disconnected from the UI, or has known correctness/security limitations.
| Area | Status | Current implementation |
|---|---|---|
| Backend API | Implemented | Windows HttpListener backend with JSON, file-transfer, and SSE endpoints. |
| Local authentication | Partial | Registration, login, JWT access tokens, rotating refresh tokens, logout, and persistent revocation are implemented. Roles, recovery, rate limiting, and several hardening items are not. |
| Server creation | Partial | Paper, Vanilla, Velocity, and locally imported Spigot/Bukkit JARs have creation paths. Purpur and BungeeCord are empty stubs; Fabric is not implemented. |
| Server lifecycle | Implemented | Per-owner start, stop, restart, process tracking, graceful stop with forced termination fallback, and command input. |
| Server console | Implemented | Bounded output for the current process run and live Server-Sent Events are available through an authenticated web console. History is cleared between server runs. |
| Metrics | Implemented | Per-process CPU and memory sampling is displayed by the web dashboard for running server instances. |
| File management | Partial | The panel exposes all implemented file operations, including routes with documented ownership gaps. See DEVNOTES.md. |
| User profiles | Partial | Public profile lookup and an owner-scoped server list exist. Profile editing and account management do not. |
| Java runtime management | Partial | Temurin, Zulu, and Liberica download paths and a runtime index exist. Corretto is declared but has no download implementation. |
| Web panel | Partial | Renewable authentication, server-card navigation/management/metrics, live console, and all implemented file operations are connected to the backend. Public profile lookup is intentionally not exposed. |
| Windows desktop manager | Prototype | Local HTML login and basic profile display exist. It does not expose the server-management features. |
| Installer | Partial | A Windows Forms installer project exists, but this audit does not treat packaging as production-verified. |
| Plugin/mod manager | Not implemented | No plugin or mod discovery, install, update, removal, or API routes exist. |
| Scheduler/automation | Not implemented | No jobs, schedules, task persistence, or execution engine exist. |
| Roles and administrative permissions | Not implemented | Tokens identify a username only. There are no role claims, role models, or administrator-only policies. |
- Local users persisted in
users.json. - Passwords stored using PBKDF2-SHA256 with a per-password random salt and 100,000 iterations.
- Successful login migration from the legacy unsalted SHA-256 password format.
- One-hour signed JWT access tokens with issuer, audience, lifetime, algorithm, and token-ID validation.
- Thirty-day opaque refresh tokens. Only their SHA-256 hashes are persisted.
- Refresh-token rotation and token-family revocation when a rotated token is replayed.
- Persistent refresh sessions and revoked access-token IDs in
auth_sessions.json. - Logout revocation for the supplied access token and, when provided, the refresh-token family.
- Automatic replacement of the publicly known legacy JWT signing secret.
- Generic login errors to avoid revealing whether an account exists.
The login response retains token as a backwards-compatible alias for
accessToken.
- Owner-scoped server index persisted in
servers.json. - Cryptographically random 128-bit hexadecimal server IDs.
- Server directory and configuration generation.
- Server JAR retrieval for Paper, Vanilla, and Velocity.
- Local Spigot/Bukkit JAR repository and a separate console import utility.
- Java process launch with configured minimum/maximum memory.
- Asynchronous stdout/stderr capture with a bounded in-memory log.
- Graceful stop command followed by forced process termination after timeout.
- Live console output over SSE with heartbeat messages.
- Console command forwarding to the running Java process.
- Per-process CPU and working-set memory metrics.
- Owner checks on creation, deletion, lifecycle control, metrics, console streaming, command input, file listing, and text read/write/delete.
- File listing, recursive listing, text read/write, deletion, directory creation, move/rename, multipart upload, and binary download.
- Canonical-path checking intended to keep file operations inside a server's
filesdirectory. - Runtime download/index infrastructure for multiple Java distributions.
- First-run configuration, configurable API port/server directory, URL ACL setup, single-instance enforcement, connectivity checks, and file logging.
- Default base URL:
http://localhost:5678. - Protected endpoints expect
Authorization: Bearer <accessToken>. - JSON requests should send
Content-Type: application/jsonunless noted. - Success and error shapes are not yet fully standardized. Most mutation routes
return a
successboolean, whileGET /profile/serversreturns an array. - There is no API version prefix, OpenAPI description, or generated client.
Body:
{ "username": "admin", "password": "admin" }Successful response:
{
"success": true,
"token": "<access-token>",
"accessToken": "<access-token>",
"refreshToken": "<refresh-token>",
"tokenType": "Bearer",
"expiresIn": 3600,
"refreshExpiresIn": 2592000
}Rotates the refresh token. The previous token must be discarded immediately. Reusing it revokes the entire token family.
{ "refreshToken": "<refresh-token>" }The successful response has the same token shape as login.
Requires the access-token header. Include the current refresh token to revoke the complete refresh-token family rather than only the access token.
{ "refreshToken": "<refresh-token>" }{ "username": "new-user", "password": "password" }Registration is currently public and creates an ordinary account. There is no role assignment or administrator approval workflow.
| Method and path | Auth | Input | Result |
|---|---|---|---|
GET /endpointinfo |
No | None | Backend name and hard-coded version. |
POST /profile/public |
No | JSON: username |
Public user fields with PasswordHash removed. |
GET /profile/servers |
Yes | None | Array of servers owned by the authenticated username. |
All routes below require a bearer access token and verify that the authenticated user owns the requested server.
| Method and path | Input | Result/notes |
|---|---|---|
POST /servers/create |
Creation object described below | Creates server files and returns the generated id. |
POST /servers/delete |
JSON: id |
Deletes the index entry and server directory recursively. |
POST /servers/start |
JSON: id |
Starts the configured Java process. |
POST /servers/stop |
JSON: id |
Queues a graceful stop operation. |
POST /servers/restart |
JSON: id |
Queues stop followed by start. |
POST /servers/metrics |
JSON: id |
Returns running, cpu, memory, and memoryMB. The server must have a tracked instance. |
POST /servers/console/command |
JSON: id, command |
Sends a line to the server process. The current handler does not send a normal success response and should be considered incomplete. |
GET /servers/console/stream?id=... |
Query: id |
text/event-stream output plus five-second heartbeats. |
Server creation body:
{
"serverName": "My Server",
"serverDesc": "Description",
"software": "paper",
"version": "1.21.5/123",
"minRam": "1024",
"maxRam": "4096",
"javaVer": "21",
"javaVendor": "Temurin",
"javaType": "jre"
}version is slash-delimited. Vanilla expects only a Minecraft version; Paper
and Velocity expect a version and build. Spigot/Bukkit use a locally imported
JAR. Inputs are not yet formally validated, and the creation implementation can
report success even after some internal creation failures.
| Method and path | Input | Result/notes |
|---|---|---|
GET /servers/files/list |
Query: id, optional path, optional recursive=true |
Returns file metadata entries. Owner check present. |
GET /servers/files/read |
Query: id, path |
Returns a text file as JSON. Owner check present. |
POST /servers/files/write |
JSON: id, path, content |
Creates/replaces a text file. Owner check present. |
POST /servers/files/delete |
JSON: id, path |
Deletes a file or directory recursively. Owner check present. |
POST /servers/files/mkdir |
JSON: id, path |
Creates a directory. Owner check missing. |
POST /servers/files/move |
JSON: id, from, to, optional overwrite |
Moves/renames an entry. Owner check missing. |
GET /servers/files/download |
Query: id, path |
Binary download. Owner check missing. |
POST /servers/files/upload |
multipart/form-data: id, path, optional overwrite, one file |
Uploads a file. Owner check missing. |
All file handlers require a valid bearer token, but the four routes explicitly marked above currently allow any authenticated user to operate on another user's server if its ID is known. They must not be exposed to untrusted users until owner checks are added.
Start, stop, restart, creation, deletion, metrics, files, and console primitives exist in the backend. The web panel does not yet expose a working management experience. Purpur, BungeeCord, and Fabric creation are absent or stubbed.
The README promises installation and quick updates for plugins and mods. There are no backend models, catalog integrations, API routes, update checks, or UI screens for this feature.
The Blazor WebAssembly application connects login, registration, logout, refresh-token rotation, protected management routes, server-card navigation and creation, lifecycle controls, metrics, console streaming/commands, and file operations to the backend. Public profile lookup is intentionally left out of the panel. Remaining limitations include:
- the backend URL defaults to
http://localhost:5678/and must be configured inwwwroot/appsettings.jsonfor remote deployments; - there is no role/account-management experience because those backend systems do not exist;
- file upload/download/mkdir/move are exposed for development despite missing
owner checks and are documented in
DEVNOTES.md; - there are no browser integration tests or offline/PWA session behaviors.
Local password authentication and renewable/revocable tokens are implemented. There is no role field, role claim, authorization policy, administrator-only endpoint, or distinction between admin and ordinary user permissions.
Process output capture and buffered/live logs are available through an authenticated panel screen. Commands are exposed with a short client timeout because the backend command handler still omits a normal success response.
The panel can browse, read, create, edit, delete, upload, download, create directories, and move/rename entries. Four exposed handlers are missing server-owner authorization checks. There are no backend file size, upload size, quota, or text-file size limits; the browser imposes a 64 MB upload cap.
There is no scheduler, task model, persisted job queue, recurring action engine, backup schedule, or related API/UI.
A substantial HTTP API exists, but it is not yet a stable integration API. It lacks versioning, formal schemas, consistent status/error responses, OpenAPI, API keys/service accounts, pagination, and compatibility guarantees.
The responsive Blazor/MudBlazor panel provides the implemented authentication, server, metrics, console, and safe file-management workflows. Features without backend support remain absent, so the promised panel is not yet feature-complete.
These are the highest-priority issues observed during the audit:
- Add owner checks to file upload, download, mkdir, and move operations.
- Make safe-path validation separator-aware; a plain string prefix check can accept a sibling path whose name begins with the expected root name.
- Replace the default
admin/adminonboarding credentials with a secure first-run setup. - Restrict or disable public registration for installations that are not meant to be multi-user public services.
- Add role-based authorization before describing accounts as Admin/User.
- Put the backend behind HTTPS; credentials and bearer tokens are otherwise exposed in transit.
- Replace permissive reflected CORS with an explicit trusted-origin allowlist.
- Add login rate limiting, password policy, password change/recovery, and “revoke all sessions” support.
- Connect the web client to refresh-token rotation and avoid long-lived tokens in broadly accessible browser storage where possible.
- Make server creation transactional so failed downloads/configuration do not leave index entries or return false success.
- Standardize request validation, response bodies, HTTP status codes, and exception handling across endpoints.
- Add automated tests for authentication, ownership boundaries, safe paths, server lifecycle behavior, and API contracts.
- Close authorization gaps and deploy only through HTTPS.
- Complete browser token renewal/logout and route protection.
- Make the existing lifecycle, console, metrics, and file APIs usable from the web panel.
- Harden server creation and align supported software choices between backend and UI.
- Implement roles and administrator workflows.
- Add scheduler/automation and plugin/mod management as new subsystems.