NewLogin

Changelog

Highlights

This release focuses on making the project reproducible, improving account security, fixing email recovery, and cleaning up legacy configuration behavior.

Added

• Added a fully reproducible project structure, including pom.xml, src/main/java, resources, README, LICENSE, CHANGELOG, and CI setup.
• Added versioned password hashing using PBKDF2-HMAC-SHA256.
• Added unique salts, safe password comparison, and automatic migration from legacy SHA-256 password hashes.
• Added real SMTP email delivery with TLS/STARTTLS, authentication, UTF-8 HTML support, timeouts, a dedicated executor, and reload support.
• Added recovery-code expiration, maximum attempt limits, and cooldowns per player/IP.
• Added schema-version support to persisted data.
• Added automatic backups before destructive data operations.
• Added UUID/IP-based lockout protection.
• Added blindness effect support for pre-login protection.

Changed

• Updated /email confirm to correctly use args[1].
• Email recovery is now allowed before login.
• Recovery codes now use SecureRandom.
• Password recovery no longer sends or stores temporary plain-text passwords.
• Players now set a new password directly using:

/email confirm <code> <new-password> <confirm-password>

or:

/resetpassword own ...

• Pre-login command protection now uses exact command matching.
• Player visibility and effects are now properly cleaned up on quit and plugin disable.
• DataManager.java now properly removes players.<uuid> entries and saves a clean data snapshot.

Removed

• Removed the plain-text temporary password recovery flow.
• Removed MySQL and captcha settings from the default configuration.
• Legacy captcha settings are now automatically disabled if found in old configuration files.

Fixed

• Fixed destructive persistence operations not fully removing player data.
• Fixed stale or unsafe recovery behavior from the old password reset flow.
• Fixed legacy configuration compatibility issues by enforcing valid YAML handling.

🎉 Major Release - Complete Security Update

Release Date: January 2026
Minecraft Version: 1.21+
Java Version: 21

✨ New Commands

🛠️ Admin Commands (/newlogin)

• reload - Reload plugin configuration
• info <player> - Show detailed player information
• list [page] - List all registered players (paginated)
• stats - Show plugin statistics
• forcelogin <player> - Force login a player
• forcelogout <player> - Force logout a player
• setspawn - Set the login spawn location
• help - Display help menu

📧 Email System (/email)

• set <email> - Set your email address
• remove - Remove your email
• show - Display your current email
• recover <email> - Request password recovery
• confirm <code> - Confirm email or recovery code

🔒 New Security Features

• Damage Protection - Players cannot receive damage before login
• Hunger Protection - Hunger bar doesn't decrease before login
• Inventory Protection - Cannot open inventories before login
• Item Pickup Protection - Cannot pick up items before login
• Block Protection - Cannot break/place blocks before login
• Entity Interaction Protection - Cannot interact with entities before login
• Item Swap Protection - Cannot swap hand items before login

🎯 Login Spawn System

• Teleport unlogged players to a specific location
• Automatically restore original location after login
• Configurable via /newlogin setspawn or config.yml

login-spawn:
  enabled: false
  world: "world"
  x: 0.0
  y: 64.0
  z: 0.0
  yaw: 0.0
  pitch: 0.0

👻 Invisibility System

• Players become invisible until they login
• Hidden from other players completely
• Invisibility potion effect applied automatically
• Configurable in config.yml

🏷️ New Aliases

🎨 Tab Completion

• Full tab completion support for all commands
• Smart suggestions for player names
• Permission-aware completions

📊 New Player Data Tracking

• Login Count - Track total logins per player
• Last IP - Store last known IP address
• Registration Date - When player registered
• Last Login - Last successful login timestamp

🔐 New Permissions

newlogin.*                    - Access to all commands
newlogin.admin                - Admin commands access
newlogin.admin.reload         - Reload configuration
newlogin.admin.info           - View player info
newlogin.admin.list           - List registered players
newlogin.admin.stats          - View statistics
newlogin.admin.forcelogin     - Force player login
newlogin.admin.forcelogout    - Force player logout
newlogin.admin.setspawn       - Set login spawn
newlogin.resetpassword        - Reset player passwords
newlogin.unregister           - Unregister players
newlogin.bypass.timeout       - Bypass login timeout
newlogin.bypass.lockout       - Bypass attempt lockout

📝 New Configuration Options

Login Protection

login-protection:
  invisibility: false
  blindness: false
  no-damage: true
  no-hunger: true

Email System (SMTP)

email:
  enabled: false
  smtp:
    host: "smtp.gmail.com"
    port: 587
    username: ""
    password: ""
    tls: true
  from: "noreply@server.com"

Logging

logging:
  successful-logins: true
  failed-logins: true
  password-changes: true
  registrations: true

Allowed Commands Before Login

security:
  allowed-commands:
    - "help"
    - "rules"

💬 New Messages

auto-login-success: "&aSession restored! You were logged in automatically."
not-logged-in: "&cYou are not logged in!"
logout-success: "&aYou have been logged out successfully!"
login-timeout-kick: "&cLogin timeout! Please reconnect and login."
unregister-success: "&aPlayer {player} has been unregistered!"
unregistered-by-admin: "&cYour registration was removed by an administrator."
invalid-email: "&cInvalid email format!"
email-already-used: "&cThis email is already in use!"
email-confirmation-sent: "&aConfirmation email sent to {email}!"
email-set-success: "&aEmail set successfully: {email}"
recovery-email-sent: "&aRecovery email sent to {email}!"
invalid-code: "&cInvalid or expired code!"

🐛 Bug Fixes & Improvements

• Improved password hashing with SHA-256 + salt
• Better session management
• Fixed movement detection (allows camera rotation)
• Improved lockout system with remaining time display
• Better error handling and logging
• Async data saving to prevent lag
• Memory leak fixes in session cleanup

🔒 Security

• SHA-256 Hash with Salt: Implemented secure hashing system with a unique salt per player

• Brute Force Protection: Temporary lockout system after multiple failed attempts

  • Configurable: max attempts and lockout duration
  • Informative messages for blocked players

• Password Validation: Configurable minimum requirements

  • Minimum password length
  • Uppercase letter requirement
  • Number requirement
  • Special character requirement

✨ New Features

• Advanced Session System

  • IP-based auto-login (configurable)
  • Configurable session timeout
  • Last activity tracking
  • Automatic cleanup of expired sessions

• Configuration Manager

  • Complete and organized config.yml file
  • All messages customizable
  • Adjustable security settings
  • Flexible session configurations

• Full Pre-Login Protection

  • Movement blocking
  • Chat blocking
  • Command blocking (except login/register)
  • Interaction blocking with blocks and entities
  • Damage blocking
  • Item drop blocking

🔄 Improvements

• LoginManager

  • Automatic migration of old passwords to the new hashing system
  • Password strength check
  • Improved login attempt system

• PlayerManager

  • Integrated session management
  • Player activity tracking
  • Automatic data cleanup

• DataManager

  • Support for new fields (salt, IP, timestamps)
  • Optimized asynchronous operations
  • Better error handling

• PlayerListener

  • Comprehensive event protection
  • Configurable reminder messages
  • Improved user experience

📝 Updated Commands

• /register: Enhanced password validation with detailed feedback
• /login: Attempt system with temporary lockout
• /changepassword: New password validation
• /resetpassword: Still available for administrators

⚙️ Configuration

• config.yml: New comprehensive configuration file

  • Security section (hashing, attempts, validation)
  • Session section (auto-login, timeout)
  • Protection section (blocked events)
  • Messages section (all customizable)

🐛 Bug Fixes

• Fixed insecure plain text password storage
• Fixed missing protection against command spam
• Fixed players being able to interact before logging in
• Fixed missing session timeout

• /changepassword
• /resetpassword (admin only)
• bug fixes