EzAuth

EzAuth

Drop-in authentication for modern Paper and Bukkit servers with polished UX, standalone or integrated TOTP 2FA, and flexible storage.

Overview

EzAuth locks down your server's spawn with email-backed registrations, password logins, and time-limited sessions. Players are guided through the process with configurable messages, multi-language prompts (English, Nederlands, Español out of the box), visual effects, and reminders while administrators retain full control over storage backends, security policy, and optional SMTP settings. Toggle between pure login, opt-in 2FA, or a New: flow that layers EzAuth's `/2fa` experience onto any existing authentication plugin. New: guide administrators through an in-game installation that immediately re-locks every active session when setup finishes, tap into the new session caching layer for instant post-login checks, then hook directly into Laravel, WordPress, or XenForo user tables so your website and server share a single account system.

Key Features

- Admin oversight – `/register` validates emails, enforces configurable password lengths, blocks duplicate emails or accounts, and saves asynchronously so players never stall the main thread. - Admin oversight – `/ezauth install` walks staff through launch day setup, optionally bypasses the login guard until you're ready, and re-locks every active session the moment installation is marked complete. - Admin oversight – Ship multiple language packs (English, Nederlands, Español by default), set your default language, and let players opt into their preferred message set on join. - Admin oversight – `/login` honours staged cooldowns, respects bypass permissions, caches accounts for quicker checks, and runs password hashing off-thread before celebrating success with optional effects. - Admin oversight – `/2fa` walks players through setup, confirmation, verification, status checks, and disabling while the TwoFactorService generates secure secrets and verifies codes. Flip `security.yml`'s `authentication-type` to `two_factor` to run EzAuth as a standalone 2FA module alongside plugins like AuthMe or via proxy networks. - Admin oversight – Movement, chat, and non-whitelisted commands are blocked until authentication completes, with five-second reminders and automatic session timeouts that can re-lock idle players. - Admin oversight – Cache active authentications per-server and across proxies to trim database hits and keep trusted players online through quick restarts. - Admin oversight – Toggle `authentication-input: book` to capture passwords and 2FA codes through an interactive written book, with automatic re-prompts if a player closes it early. - Admin oversight – Toggle per-event particles and sounds or disable them globally from `security.yml`. - Admin oversight – Choose YAML files, EzAuth-managed MySQL tables, or hook directly into Laravel, WordPress, and XenForo schemas via the new integration block while still storing accounts by UUID or username. - Admin oversight – Switch between BCrypt (custom rounds), SHA-256 with a pepper, or WordPress PHPass without touching code. - Admin oversight – `email.yml` exposes SMTP host, port, TLS/SSL, credentials, sender identity, and arbitrary mail properties so you're ready when outbound messaging lands. - Admin oversight – Send verification codes to new registrations, block unverified logins, and let players confirm or resend their code with `/email` commands. - Admin oversight – Hide authentication attempts from console logs by listing sensitive commands in `security.yml` so staff chats stay clean while log filters update automatically on reloads. - Admin oversight – `/ezauth players` opens a paginated in-game GUI with account email, creation time, and 2FA status so staff can disable two-factor or remove registrations without console commands.

Authentication Types

- Optional – The classic EzAuth flow with `/register`, `/login`, and optional `/2fa` for layered security. - Optional – Keep your existing password solution but give players EzAuth's polished authenticator setup, code checks, and admin controls by setting `authentication-type: two_factor`. Perfect for networks standardising on AuthMe, MultiAuth, or proxy-level SSO that still want in-game TOTP enforcement. - Optional – Let players secure their account when they're ready while you maintain traditional logins for everyone else.

Commands & Permissions

| Command | Usage | Permission | Default | |---|---|---:|---| | /register | /register <email> <password> <password> | `ezauth.register` | Everyone | | /login | /login <password> | `ezauth.login` | Everyone | | /2fa, /twofactor | /2fa <setup|confirm|verify|disable|status> | `ezauth.2fa` | Everyone | | /email | /email <verify <code>|resend> | `ezauth.email` | Everyone | | - | - | `ezauth.2fa.admin` | OP | | /ezauth | /ezauth reload | `ezauth.reload` | OP | | /ezauth install | /ezauth install <status|complete|reset|config> | `ezauth.install` | OP | | - | - | `ezauth.bypass` | OP |

Installation

Launch EzAuth for the first time and let the new installation workflow do the heavy lifting:

1. Use `/ezauth install status` to confirm the guided flow is active and view whether the login guard is temporarily bypassed. 2. Tweak installation options in-game with `/ezauth install config` to enable reminders, disable bypass mode, or re-open the GUI later. 3. Once your storage, hashing, and security files look right, finish with `/ezauth install complete` to re-lock every connected player until they authenticate. 4. Need to re-run onboarding for a new season? `/ezauth install reset` re-opens the flow without touching existing accounts.

Quick Configuration Presets

Choose the baseline that matches your deployment and copy the snippets into your generated configs.

YAML Storage + Password Login

Perfect for single-server setups that don't need a database. Accounts are saved to disk and BCrypt keeps passwords safe.

```yaml

database.yml

storage-type: yml account-identifier: uuid yaml-file: registrations.yml integration: mode: none ```

```yaml

hashing.yml

algorithm: bcrypt bcrypt: rounds: 10 ```

```yaml

security.yml

authentication-type: login particles-enabled: false sounds-enabled: false ```

Managed MySQL + Login

Stores players in EzAuth's MySQL schema while retaining the classic `/register` + `/login` experience.

```yaml

database.yml

storage-type: mysql account-identifier: uuid host: localhost port: 3306 name: ezauth username: ezauth password: changeme jdbc-parameters: useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC integration: mode: none ```

```yaml

hashing.yml

algorithm: bcrypt bcrypt: rounds: 12 ```

```yaml

security.yml

authentication-type: login session: timeout-minutes: 15 particles-enabled: true sounds-enabled: true ```

Standalone 2FA Module

Pair EzAuth with another authentication plugin and only use it for `/2fa` management.

```yaml

database.yml

storage-type: mysql account-identifier: uuid host: localhost port: 3306 name: ezauth username: ezauth password: changeme jdbc-parameters: useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC integration: mode: none ```

```yaml

hashing.yml

Hashing is unused in standalone 2FA mode but keep defaults for compatibility.

algorithm: bcrypt bcrypt: rounds: 10 ```

```yaml

security.yml

authentication-type: two_factor two-factor: standalone-mode: true enforce-on-join: true session: timeout-minutes: 10 ```

WordPress Integration + Shared Accounts

Connect Minecraft logins to your existing WordPress site and sync optional two-factor status.

```yaml

database.yml

storage-type: mysql account-identifier: username host: localhost port: 3306 name: wordpress username: wp_user password: supersecret jdbc-parameters: useSSL=false&characterEncoding=UTF-8 integration: mode: wordpress wordpress: table-prefix: wp_ users-table: wp_users user-meta-table: wp_usermeta username-column: user_login email-column: user_email password-column: user_pass uuid-meta-key: minecraft_uuid two-factor-secret-meta-key: ezauth_2fa_secret two-factor-confirmed-meta-key: ezauth_2fa_confirmed ```

```yaml

hashing.yml

algorithm: wordpress ```

```yaml

security.yml

authentication-type: login two-factor: optional: true locale: default-language: en_US ```

Default Configuration

`database.yml` now includes an `integration` section so you can reuse Laravel, WordPress, or XenForo tables while keeping EzAuth's familiar commands. Update the table and column names to match your deployment or leave the mode on `none` to keep EzAuth's managed schema.

```yaml

EzAuth Storage Configuration

storage-type: yml

account-identifier: uuid

yaml-file: registrations.yml

host: localhost port: 3306 name: ezauth username: root password: password jdbc-parameters: useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC pool: maximum-pool-size: 10 minimum-idle: 2 connection-timeout: 30000 idle-timeout: 600000 max-lifetime: 1800000 data-source-properties: cachePrepStmts: "true" prepStmtCacheSize: "250" prepStmtCacheSqlLimit: "2048"

integration: mode: none laravel: table: users uuid-column: uuid username-column: name email-column: email password-column: password two-factor-secret-column: two_factor_secret two-factor-confirmed-column: two_factor_confirmed created-at-column: created_at updated-at-column: updated_at remember-token-column: remember_token wordpress: table-prefix: wp_ users-table: wp_users user-meta-table: wp_usermeta username-column: user_login email-column: user_email password-column: user_pass created-at-column: user_registered uuid-meta-key: minecraft_uuid two-factor-secret-meta-key: ezauth_two_factor_secret two-factor-confirmed-meta-key: ezauth_two_factor_confirmed xenforo: table-prefix: xf_ user-table: xf_user user-auth-table: xf_user_authenticate user-field-value-table: xf_user_field_value user-profile-table: xf_user_profile username-column: username email-column: email created-at-column: register_date uuid-field-id: minecraft_uuid two-factor-secret-field-id: ezauth_two_factor_secret two-factor-confirmed-field-id: ezauth_two_factor_confirmed ```

WordPress setups need a few extra tweaks before going live:

- Switch `hashing.yml`'s `algorithm` to `WORDPRESS_PHPASS` so EzAuth produces hashes compatible with WordPress' PHPass implementation. - Keep the UUID and two-factor meta keys (`minecraft_uuid`, `ezauth_two_factor_secret`, `ezauth_two_factor_confirmed` by default) or adjust them to match your existing data. - Update the table prefix or table names if your WordPress instance uses a custom prefix.

XenForo deployments should create three custom text user fields in the XenForo control panel matching the configured `uuid-field-id`, `two-factor-secret-field-id`, and `two-factor-confirmed-field-id`. EzAuth keeps the values in `xf_user_field_value`, `xf_user_profile.custom_fields`, and `xf_user_authenticate` aligned whenever it updates an account.

Laravel schemas should expose UUID and two-factor columns alongside the framework defaults (`remember_token`, `created_at`, `updated_at`). If you use Jetstream or Breeze, add the following migration so EzAuth can reuse your user table without data loss:

```php // Laravel migration Schema::table('users', function (Blueprint $table) { $table->uuid('uuid')->unique()->after('id'); $table->text('two_factor_secret')->nullable()->after('password'); $table->boolean('two_factor_confirmed')->default(false)->after('two_factor_secret'); }); ```

EzAuth keeps the two-factor values intact when it updates an existing Laravel user and will fill in timestamps and the remember token for fresh rows.

Hashing defaults

```yaml

hashing.yml

algorithm: BCRYPT bcrypt: rounds: 10 sha256: pepper: "" ```

Security defaults

```yaml

security.yml

require-email-validation: true min-password-length: 8 session-timeout-seconds: 300 login-enabled: true register-enabled: true bypass-enabled: true login: cooldown: enabled: true stages: - attempts: 3 cooldown-seconds: 10 - attempts: 5 cooldown-seconds: 60 two-factor: enabled: false issuer: EzAuth required-for-login: false secure-account-welcome-message: - "%prefix%&aTwo-factor authentication is now enabled for your account, %player%!" allowed-commands-while-unauthenticated: - login - register - 2fa - twofactor visual-effects: enabled: true login: enabled: true particle: VILLAGER_HAPPY particle-count: 30 particle-offset-x: 0.0 particle-offset-y: 1.0 particle-offset-z: 0.0 particle-spread-x: 0.25 particle-spread-y: 0.35 particle-spread-z: 0.25 sound: ENTITY_PLAYER_LEVELUP sound-volume: 1.0 sound-pitch: 1.2 register: enabled: true particle: FIREWORKS_SPARK particle-count: 50 particle-offset-x: 0.0 particle-offset-y: 1.0 particle-offset-z: 0.0 particle-spread-x: 0.4 particle-spread-y: 0.6 particle-spread-z: 0.4 sound: UI_TOAST_CHALLENGE_COMPLETE sound-volume: 1.0 sound-pitch: 1.0 ```

Security (2FA-only mode)

```yaml

EzAuth Security Configuration (2FA-only mode)

require-email-validation: false min-password-length: 8 session-timeout-seconds: 0 login-enabled: false register-enabled: false bypass-enabled: false login: cooldown: enabled: false stages: [] two-factor: enabled: true issuer: EzAuth required-for-login: false secure-account-welcome-message: - "%prefix%&aTwo-factor authentication is now enabled for your account, %player%!" allowed-commands-while-unauthenticated: - 2fa - twofactor visual-effects: enabled: false ```

messages.yml (example)

```yaml

messages.yml

default-language: en languages: en: name: 'English' file: 'messages/en.yml' aliases: - 'en_us' - 'en-gb' nl: name: 'Nederlands' file: 'messages/nl.yml' aliases: - 'nl_nl' - 'nl-be' es: name: 'Español' file: 'messages/es.yml' aliases: - 'es_es' - 'es-mx'

prefix: '&7[&bEzAuth&7] '

register: usage: '%prefix%&cUsage: /register <email> <password> <password>' success: '%prefix%&aYou are now registered with &f%email%&a. Welcome!' already-registered: '%prefix%&cYou are already registered. Use /login <password> to authenticate.' email-in-use: '%prefix%&cThat email address is already associated with another account.' invalid-email: '%prefix%&cPlease enter a valid email address.' password-mismatch: '%prefix%&cYour passwords do not match.' password-too-short: '%prefix%&cPasswords must be at least &f%length%&c characters long.' prompt: '%prefix%&eCreate an account with &f/register <email> <password> <password>' disabled: '%prefix%&cRegistration is currently disabled. Please contact an administrator to create an account.'

login: usage: '%prefix%&cUsage: /login <password>' success: '%prefix%&aYou are now logged in.' success-with-email: '%prefix%&aYou are now logged in with &f%email%&a.' not-registered: '%prefix%&cNo account found. Use /register <email> <password> <password>.' invalid-password: '%prefix%&cIncorrect password. Please try again.' already-logged-in: '%prefix%&cYou are already logged in.' cooldown-active: '%prefix%&cToo many failed attempts. Please wait &f%seconds%&c seconds before trying again.' prompt: '%prefix%&eWelcome back! Log in with &f/login <password>' bypass: '%prefix%&aBypass enabled: you are already authenticated.' disabled: '%prefix%&ePassword login is currently disabled on this server.'

general: no-permission: '%prefix%&cYou do not have permission to use this command.' players-only: '%prefix%&cOnly players can run this command.' error: '%prefix%&cAn internal error occurred. Please contact an administrator.' not-authenticated: '%prefix%&cPlease authenticate using %methods%.' already-authenticated: '%prefix%&cYou are already authenticated.'

admin: reload: usage: '%prefix%&eUsage: /ezauth reload' success: '%prefix%&aEzAuth configuration reloaded successfully.' failed: '%prefix%&cFailed to reload EzAuth configuration. Check console for details.'

twofactor: disabled: '%prefix%&cTwo-factor authentication is not enabled on this server.' usage: '%prefix%&eUsage: /2fa <setup|confirm|verify|disable|status>' confirm-usage: '%prefix%&cUsage: /2fa confirm <code>' verify-usage: '%prefix%&cUsage: /2fa verify <code>' disable-usage: '%prefix%&cUsage: /2fa disable <code|player>' setup: '%prefix%&aAdd this account to your authenticator app using the secret or setup URL below.' secret-line: '%prefix%&7Secret: &b&n%secret% &8(Click to copy)' secret-hover: '&bClick to copy your 2FA secret to the clipboard.' uri-line: '%prefix%&7Setup URL: &f%uri%' already-enabled: '%prefix%&cTwo-factor authentication is already enabled.' setup-required: '%prefix%&cYou must set up two-factor authentication with &f/2fa setup&c before continuing.' setup-optional: '%prefix%&eSecure your account any time with &f/2fa setup&e when you are ready.' login-required: '%prefix%&cEnter a valid 2FA code using &f/2fa verify <code>&c to finish signing in.' auth-required: '%prefix%&cPlease log in with &f/login&c before using /2fa commands.' invalid-code: '%prefix%&cThat 2FA code is invalid or expired. Please try again.' enabled: '%prefix%&aTwo-factor authentication has been enabled successfully.' verified: '%prefix%&aTwo-factor authentication complete. You are now signed in.' disabled-success: '%prefix%&aTwo-factor authentication has been disabled for your account.' admin-disabled-success: '%prefix%&aTwo-factor authentication has been disabled for &f%target%&a.' admin-disabled-notify: '%prefix%&cYour two-factor authentication has been disabled by &f%admin%&c.' admin-self-target: '%prefix%&cTo disable your own two-factor authentication, run &f/2fa disable <code>&c.' admin-target-not-found: '%prefix%&cNo EzAuth account found for &f%target%&c.' admin-target-not-enabled: '%prefix%&cTwo-factor authentication is not enabled for &f%target%&c.' not-setup: '%prefix%&cYou have not generated a two-factor secret yet. Use /2fa setup first.' not-confirmed: '%prefix%&cYou must confirm your two-factor secret with /2fa confirm <code> before using it.' not-enabled: '%prefix%&cTwo-factor authentication is not currently enabled for your account.' no-account: '%prefix%&cNo EzAuth account found for your player. Please register first.' status-enabled: '%prefix%&aTwo-factor authentication is enabled on your account.' status-pending: '%prefix%&eTwo-factor authentication setup is pending confirmation.' status-disabled: '%prefix%&eTwo-factor authentication is currently disabled for your account.' ```

Proxy-aware Session Storage

Need to keep players authenticated across a network of servers? Flip `proxy.enabled: true` inside `security.yml` and EzAuth will automatically switch to a shared SQL-backed session store. The plugin creates the required `ezauth_sessions` table, replicates login state between instances, and honours `proxy.session-ttl-seconds` so you can control how long a network-wide login remains valid before players must authenticate again. Set it to `0` to rely entirely on the per-server timeout defined by `session-timeout-seconds`.

This proxy support is still experimental, so test thoroughly before rolling it out across production networks.

Heads up: distributed sessions require the MySQL backend defined in `database.yml`. EzAuth will refuse to boot the proxy cache if you're running purely on YAML storage.

Preparing Email Notifications

EzAuth now ships with an optional `email.yml` that lets you preload SMTP details ahead of outbound messaging support. Leave the section disabled to skip configuration entirely, or enable it and provide your host, port, transport (TLS/SSL), credentials, and sender identity so EzAuth is ready the moment email verification or alerts go live.

```yaml smtp: enabled: false host: smtp.example.com port: 587 username: no-reply@example.com password: "changeme" use-starttls: true from-name: "EzAuth" from-address: no-reply@example.com ```

- Keep `enabled` set to `false` until you're ready to wire in valid credentials. - Toggle `use-starttls` or swap to implicit SSL by setting `port` to `465` if your provider requires it. - Pair email notifications with the verification commands under `/email` to block unverified accounts before they log in.

Connecting EzAuth to Your Website Login

Whether you're running Laravel, WordPress, or XenForo, EzAuth can authenticate players against the same credentials your website already uses. Follow the steps below for your platform after setting `storage-type: mysql`.

Laravel Integration

1. Open `plugins/EzAuth/database.yml` and set `integration.mode` to `laravel`. 2. Point the MySQL connection settings at the database your Laravel site uses (usually the values from `.env`). 3. Ensure the column names in the `integration.laravel` block match your `users` table. If you use UUIDs, keep `uuid-column`; otherwise set `account-identifier` to `username`. 4. If you rely on Laravel's remember tokens or two-factor columns, keep them mapped—EzAuth reads and updates them automatically when players log in or toggle `/2fa`. 5. Reload EzAuth or restart the server. New registrations will write back through Laravel's hashing (BCrypt) so the same password works on both the site and Minecraft server.

WordPress Integration

1. Set `storage-type` to `mysql` and `integration.mode` to `wordpress`. 2. Use the database credentials from `wp-config.php` so EzAuth connects to the same MySQL instance as WordPress. 3. Adjust `integration.wordpress.table-prefix` if your installation uses a custom prefix, then confirm the `users` and `usermeta` table names. 4. Map EzAuth's UUID and 2FA fields to meta keys that exist (or let EzAuth create them). Passwords are checked using WordPress' PHPass algorithm when you enable `hashing.algorithm: wordpress` in `hashing.yml`. 5. Reload EzAuth. Players can now `/login` with their WordPress credentials, and optional `/2fa` status will sync to the user meta rows.

XenForo Integration

1. Switch `integration.mode` to `xenforo` and supply the same MySQL details XenForo uses. 2. Confirm the table prefix and column names in the `integration.xenforo` block. EzAuth will read usernames from `xf_user` and hashed passwords from `xf_user_authenticate`. 3. If you store Minecraft UUIDs or 2FA secrets in custom profile fields, update the `uuid-field-id` and `two-factor-*` identifiers so EzAuth syncs the correct values. 4. Make sure `hashing.yml` is set to `algorithm: xenforo` so EzAuth verifies XenForo's bcrypt variants correctly. 5. Reload EzAuth or restart to apply changes. Server logins will now validate against XenForo accounts, keeping forum and in-game credentials unified.

Getting Started

1. Drop the jar into your `/plugins` folder and start the server once to generate configs. 2. Edit `database.yml`, `hashing.yml`, and `security.yml` to match your storage, hashing, and policy. 3. Configure `email.yml` if you plan to send email-based notifications later. 4. Tune `messages.yml` to fit your community tone, then run `/ezauth reload` in-game. 5. Invite players to `/register`, `/login`, and optionally `/2fa setup` for full protection.

Need Help?

EzAuth is in active development, so your feedback directly shapes the roadmap. You can join our Discord server for real-time support, feature requests and updates.

Try the other Minecraft plugins in the EzPlugins series