EzAuth

Drop-in authentication for modern Paper and Bukkit servers with polished UX, standalone or integrated TOTP 2FA, and flexible storage.

Overview

EzAuth locks down your server's spawn with email-backed registrations, password logins, and time-limited sessions. Players are guided through the process with configurable messages, multi-language prompts (English, Nederlands, Español out of the box), visual effects, and reminders while administrators retain full control over storage backends, security policy, and optional SMTP settings. Toggle between pure login, opt-in 2FA, or a standalone two-factor flow that layers EzAuth's /2fa experience onto any existing authentication plugin. New: guide administrators through an in-game installation that immediately re-locks every active session when setup finishes, tap into the new session caching layer for instant post-login checks, then hook directly into Laravel, WordPress, or XenForo user tables so your website and server share a single account system.

Key Features

• Player-first onboarding – /register validates emails, enforces configurable password lengths, blocks duplicate emails or accounts, and saves asynchronously so players never stall the main thread.
• Guided ingame installation – /ezauth install walks staff through launch day setup, optionally bypasses the login guard until you're ready, and re-locks every active session the moment installation is marked complete.
• Localized messaging – Ship multiple language packs (English, Nederlands, Español by default), set your default language, and let players opt into their preferred message set on join.
• Hardened logins – /login honours staged cooldowns, respects bypass permissions, caches accounts for quicker checks, and runs password hashing off-thread before celebrating success with optional effects.
• Built-in TOTP two-factor – /2fa walks players through setup, confirmation, verification, status checks, and disabling while the TwoFactorService generates secure secrets and verifies codes. Flip security.yml's authentication-type to two_factor to run EzAuth as a standalone 2FA module alongside plugins like AuthMe or via proxy networks.
• Session control – Movement, chat, and non-whitelisted commands are blocked until authentication completes, with five-second reminders and automatic session timeouts that can re-lock idle players.
• Session caching – Cache active authentications per-server and across proxies to trim database hits and keep trusted players online through quick restarts.
• Book-based prompts – Toggle authentication-input: book to capture passwords and 2FA codes through an interactive written book, with automatic re-prompts if a player closes it early.
• Celebratory polish – Toggle per-event particles and sounds or disable them globally from security.yml.
• Flexible storage – Choose YAML files, EzAuth-managed MySQL tables, or hook directly into Laravel, WordPress, and XenForo schemas via the new integration block while still storing accounts by UUID or username.
• Configurable hashing – Switch between BCrypt (custom rounds), SHA-256 with a pepper, or WordPress PHPass without touching code.
• Email-ready – email.yml exposes SMTP host, port, TLS/SSL, credentials, sender identity, and arbitrary mail properties so you're ready when outbound messaging lands.
• Email verification – Send verification codes to new registrations, block unverified logins, and let players confirm or resend their code with /email commands.
• Sensitive command filtering – Hide authentication attempts from console logs by listing sensitive commands in security.yml so staff chats stay clean while log filters update automatically on reloads.
• Admin oversight – /ezauth players opens a paginated in-game GUI with account email, creation time, and 2FA status so staff can disable two-factor or remove registrations without console commands.

Authentication Types

• Login – The classic EzAuth flow with /register, /login, and optional /2fa for layered security.
• Standalone 2FA – Keep your existing password solution but give players EzAuth's polished authenticator setup, code checks, and admin controls by setting authentication-type: two_factor. Perfect for networks standardising on AuthMe, MultiAuth, or proxy-level SSO that still want in-game TOTP enforcement.
• Optional – Let players secure their account when they're ready while you maintain traditional logins for everyone else.

Commands & Permissions

Command	Usage	Permission	Default
/register	/register <email> <password> <password>	ezauth.register	Everyone
/login	/login <password>	ezauth.login	Everyone
/2fa, /twofactor	/2fa <setup	confirm	verify
/email	/email <verify	resend>	ezauth.email
-	-	ezauth.2fa.admin	OP
/ezauth	/ezauth reload	ezauth.reload	OP
/ezauth install	/ezauth install <status	complete	reset
-	-	ezauth.bypass	OP

Installation

Launch EzAuth for the first time and let the new installation workflow do the heavy lifting:

1. Use /ezauth install status to confirm the guided flow is active and view whether the login guard is temporarily bypassed.
2. Tweak installation options in-game with /ezauth install config to enable reminders, disable bypass mode, or re-open the GUI later.
3. Once your storage, hashing, and security files look right, finish with /ezauth install complete to re-lock every connected player until they authenticate.
4. Need to re-run onboarding for a new season? /ezauth install reset re-opens the flow without touching existing accounts.

Quick Configuration Presets

Choose the baseline that matches your deployment and copy the snippets into your generated configs.

YAML Storage + Password Login

Perfect for single-server setups that don't need a database. Accounts are saved to disk and BCrypt keeps passwords safe.

# database.yml
storage-type: yml
account-identifier: uuid
yaml-file: registrations.yml
integration:
  mode: none

# hashing.yml
algorithm: bcrypt
bcrypt:
  rounds: 10

# security.yml
authentication-type: login
particles-enabled: false
sounds-enabled: false

Managed MySQL + Login

Stores players in EzAuth's MySQL schema while retaining the classic /register + /login experience.

# database.yml
storage-type: mysql
account-identifier: uuid
host: localhost
port: 3306
name: ezauth
username: ezauth
password: changeme
jdbc-parameters: useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC
integration:
  mode: none

# hashing.yml
algorithm: bcrypt
bcrypt:
  rounds: 12

# security.yml
authentication-type: login
session:
  timeout-minutes: 15
particles-enabled: true
sounds-enabled: true

Standalone 2FA Module

Pair EzAuth with another authentication plugin and only use it for /2fa management.

# database.yml
storage-type: mysql
account-identifier: uuid
host: localhost
port: 3306
name: ezauth
username: ezauth
password: changeme
jdbc-parameters: useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC
integration:
  mode: none

# hashing.yml
# Hashing is unused in standalone 2FA mode but keep defaults for compatibility.
algorithm: bcrypt
bcrypt:
  rounds: 10

# security.yml
authentication-type: two_factor
two-factor:
  standalone-mode: true
  enforce-on-join: true
session:
  timeout-minutes: 10

WordPress Integration + Shared Accounts

Connect Minecraft logins to your existing WordPress site and sync optional two-factor status.

# database.yml
storage-type: mysql
account-identifier: username
host: localhost
port: 3306
name: wordpress
username: wp_user
password: supersecret
jdbc-parameters: useSSL=false&characterEncoding=UTF-8
integration:
  mode: wordpress
  wordpress:
    table-prefix: wp_
    users-table: wp_users
    user-meta-table: wp_usermeta
    username-column: user_login
    email-column: user_email
    password-column: user_pass
    uuid-meta-key: minecraft_uuid
    two-factor-secret-meta-key: ezauth_2fa_secret
    two-factor-confirmed-meta-key: ezauth_2fa_confirmed

# hashing.yml
algorithm: wordpress

# security.yml
authentication-type: login
two-factor:
  optional: true
locale:
  default-language: en_US

Default Configuration

database.yml now includes an integration section so you can reuse Laravel, WordPress, or XenForo tables while keeping EzAuth's familiar commands. Update the table and column names to match your deployment or leave the mode on none to keep EzAuth's managed schema.

# EzAuth Storage Configuration
storage-type: yml

account-identifier: uuid

yaml-file: registrations.yml

host: localhost
port: 3306
name: ezauth
username: root
password: password
jdbc-parameters: useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC
pool:
  maximum-pool-size: 10
  minimum-idle: 2
  connection-timeout: 30000
  idle-timeout: 600000
  max-lifetime: 1800000
  data-source-properties:
    cachePrepStmts: "true"
    prepStmtCacheSize: "250"
    prepStmtCacheSqlLimit: "2048"

integration:
  mode: none
  laravel:
    table: users
    uuid-column: uuid
    username-column: name
    email-column: email
    password-column: password
    two-factor-secret-column: two_factor_secret
    two-factor-confirmed-column: two_factor_confirmed
    created-at-column: created_at
    updated-at-column: updated_at
    remember-token-column: remember_token
  wordpress:
    table-prefix: wp_
    users-table: wp_users
    user-meta-table: wp_usermeta
    username-column: user_login
    email-column: user_email
    password-column: user_pass
    created-at-column: user_registered
    uuid-meta-key: minecraft_uuid
    two-factor-secret-meta-key: ezauth_two_factor_secret
    two-factor-confirmed-meta-key: ezauth_two_factor_confirmed
  xenforo:
    table-prefix: xf_
    user-table: xf_user
    user-auth-table: xf_user_authenticate
    user-field-value-table: xf_user_field_value
    user-profile-table: xf_user_profile
    username-column: username
    email-column: email
    created-at-column: register_date
    uuid-field-id: minecraft_uuid
    two-factor-secret-field-id: ezauth_two_factor_secret
    two-factor-confirmed-field-id: ezauth_two_factor_confirmed

WordPress setups need a few extra tweaks before going live:

• Switch hashing.yml's algorithm to WORDPRESS_PHPASS so EzAuth produces hashes compatible with WordPress' PHPass implementation.
• Keep the UUID and two-factor meta keys (minecraft_uuid, ezauth_two_factor_secret, ezauth_two_factor_confirmed by default) or adjust them to match your existing data.
• Update the table prefix or table names if your WordPress instance uses a custom prefix.

XenForo deployments should create three custom text user fields in the XenForo control panel matching the configured uuid-field-id, two-factor-secret-field-id, and two-factor-confirmed-field-id. EzAuth keeps the values in xf_user_field_value, xf_user_profile.custom_fields, and xf_user_authenticate aligned whenever it updates an account.

Laravel schemas should expose UUID and two-factor columns alongside the framework defaults (remember_token, created_at, updated_at). If you use Jetstream or Breeze, add the following migration so EzAuth can reuse your user table without data loss:

// Laravel migration
Schema::table('users', function (Blueprint $table) {
    $table->uuid('uuid')->unique()->after('id');
    $table->text('two_factor_secret')->nullable()->after('password');
    $table->boolean('two_factor_confirmed')->default(false)->after('two_factor_secret');
});

EzAuth keeps the two-factor values intact when it updates an existing Laravel user and will fill in timestamps and the remember token for fresh rows.

Hashing defaults

# hashing.yml
algorithm: BCRYPT
bcrypt:
  rounds: 10
sha256:
  pepper: ""

Security defaults

# security.yml
require-email-validation: true
min-password-length: 8
session-timeout-seconds: 300
login-enabled: true
register-enabled: true
bypass-enabled: true
login:
  cooldown:
    enabled: true
    stages:
      - attempts: 3
        cooldown-seconds: 10
      - attempts: 5
        cooldown-seconds: 60
two-factor:
  enabled: false
  issuer: EzAuth
  required-for-login: false
  secure-account-welcome-message:
    - "%prefix%&aTwo-factor authentication is now enabled for your account, %player%!"
allowed-commands-while-unauthenticated:
  - login
  - register
  - 2fa
  - twofactor
visual-effects:
  enabled: true
  login:
    enabled: true
    particle: VILLAGER_HAPPY
    particle-count: 30
    particle-offset-x: 0.0
    particle-offset-y: 1.0
    particle-offset-z: 0.0
    particle-spread-x: 0.25
    particle-spread-y: 0.35
    particle-spread-z: 0.25
    sound: ENTITY_PLAYER_LEVELUP
    sound-volume: 1.0
    sound-pitch: 1.2
  register:
    enabled: true
    particle: FIREWORKS_SPARK
    particle-count: 50
    particle-offset-x: 0.0
    particle-offset-y: 1.0
    particle-offset-z: 0.0
    particle-spread-x: 0.4
    particle-spread-y: 0.6
    particle-spread-z: 0.4
    sound: UI_TOAST_CHALLENGE_COMPLETE
    sound-volume: 1.0
    sound-pitch: 1.0

Security (2FA-only mode)

# EzAuth Security Configuration (2FA-only mode)
require-email-validation: false
min-password-length: 8
session-timeout-seconds: 0
login-enabled: false
register-enabled: false
bypass-enabled: false
login:
  cooldown:
    enabled: false
    stages: []
two-factor:
  enabled: true
  issuer: EzAuth
  required-for-login: false
  secure-account-welcome-message:
    - "%prefix%&aTwo-factor authentication is now enabled for your account, %player%!"
allowed-commands-while-unauthenticated:
  - 2fa
  - twofactor
visual-effects:
  enabled: false

messages.yml (example)

# messages.yml
default-language: en
languages:
  en:
    name: 'English'
    file: 'messages/en.yml'
    aliases:
      - 'en_us'
      - 'en-gb'
  nl:
    name: 'Nederlands'
    file: 'messages/nl.yml'
    aliases:
      - 'nl_nl'
      - 'nl-be'
  es:
    name: 'Español'
    file: 'messages/es.yml'
    aliases:
      - 'es_es'
      - 'es-mx'

prefix: '&7[&bEzAuth&7] '

register:
  usage: '%prefix%&cUsage: /register <email> <password> <password>'
  success: '%prefix%&aYou are now registered with &f%email%&a. Welcome!'
  already-registered: '%prefix%&cYou are already registered. Use /login <password> to authenticate.'
  email-in-use: '%prefix%&cThat email address is already associated with another account.'
  invalid-email: '%prefix%&cPlease enter a valid email address.'
  password-mismatch: '%prefix%&cYour passwords do not match.'
  password-too-short: '%prefix%&cPasswords must be at least &f%length%&c characters long.'
  prompt: '%prefix%&eCreate an account with &f/register <email> <password> <password>'
  disabled: '%prefix%&cRegistration is currently disabled. Please contact an administrator to create an account.'

login:
  usage: '%prefix%&cUsage: /login <password>'
  success: '%prefix%&aYou are now logged in.'
  success-with-email: '%prefix%&aYou are now logged in with &f%email%&a.'
  not-registered: '%prefix%&cNo account found. Use /register <email> <password> <password>.'
  invalid-password: '%prefix%&cIncorrect password. Please try again.'
  already-logged-in: '%prefix%&cYou are already logged in.'
  cooldown-active: '%prefix%&cToo many failed attempts. Please wait &f%seconds%&c seconds before trying again.'
  prompt: '%prefix%&eWelcome back! Log in with &f/login <password>'
  bypass: '%prefix%&aBypass enabled: you are already authenticated.'
  disabled: '%prefix%&ePassword login is currently disabled on this server.'

general:
  no-permission: '%prefix%&cYou do not have permission to use this command.'
  players-only: '%prefix%&cOnly players can run this command.'
  error: '%prefix%&cAn internal error occurred. Please contact an administrator.'
  not-authenticated: '%prefix%&cPlease authenticate using %methods%.'
  already-authenticated: '%prefix%&cYou are already authenticated.'

admin:
  reload:
    usage: '%prefix%&eUsage: /ezauth reload'
    success: '%prefix%&aEzAuth configuration reloaded successfully.'
    failed: '%prefix%&cFailed to reload EzAuth configuration. Check console for details.'

twofactor:
  disabled: '%prefix%&cTwo-factor authentication is not enabled on this server.'
  usage: '%prefix%&eUsage: /2fa <setup|confirm|verify|disable|status>'
  confirm-usage: '%prefix%&cUsage: /2fa confirm <code>'
  verify-usage: '%prefix%&cUsage: /2fa verify <code>'
  disable-usage: '%prefix%&cUsage: /2fa disable <code|player>'
  setup: '%prefix%&aAdd this account to your authenticator app using the secret or setup URL below.'
  secret-line: '%prefix%&7Secret: &b&n%secret% &8(Click to copy)'
  secret-hover: '&bClick to copy your 2FA secret to the clipboard.'
  uri-line: '%prefix%&7Setup URL: &f%uri%'
  already-enabled: '%prefix%&cTwo-factor authentication is already enabled.'
  setup-required: '%prefix%&cYou must set up two-factor authentication with &f/2fa setup&c before continuing.'
  setup-optional: '%prefix%&eSecure your account any time with &f/2fa setup&e when you are ready.'
  login-required: '%prefix%&cEnter a valid 2FA code using &f/2fa verify <code>&c to finish signing in.'
  auth-required: '%prefix%&cPlease log in with &f/login&c before using /2fa commands.'
  invalid-code: '%prefix%&cThat 2FA code is invalid or expired. Please try again.'
  enabled: '%prefix%&aTwo-factor authentication has been enabled successfully.'
  verified: '%prefix%&aTwo-factor authentication complete. You are now signed in.'
  disabled-success: '%prefix%&aTwo-factor authentication has been disabled for your account.'
  admin-disabled-success: '%prefix%&aTwo-factor authentication has been disabled for &f%target%&a.'
  admin-disabled-notify: '%prefix%&cYour two-factor authentication has been disabled by &f%admin%&c.'
  admin-self-target: '%prefix%&cTo disable your own two-factor authentication, run &f/2fa disable <code>&c.'
  admin-target-not-found: '%prefix%&cNo EzAuth account found for &f%target%&c.'
  admin-target-not-enabled: '%prefix%&cTwo-factor authentication is not enabled for &f%target%&c.'
  not-setup: '%prefix%&cYou have not generated a two-factor secret yet. Use /2fa setup first.'
  not-confirmed: '%prefix%&cYou must confirm your two-factor secret with /2fa confirm <code> before using it.'
  not-enabled: '%prefix%&cTwo-factor authentication is not currently enabled for your account.'
  no-account: '%prefix%&cNo EzAuth account found for your player. Please register first.'
  status-enabled: '%prefix%&aTwo-factor authentication is enabled on your account.'
  status-pending: '%prefix%&eTwo-factor authentication setup is pending confirmation.'
  status-disabled: '%prefix%&eTwo-factor authentication is currently disabled for your account.'

Proxy-aware Session Storage

Need to keep players authenticated across a network of servers? Flip proxy.enabled: true inside security.yml and EzAuth will automatically switch to a shared SQL-backed session store. The plugin creates the required ezauth_sessions table, replicates login state between instances, and honours proxy.session-ttl-seconds so you can control how long a network-wide login remains valid before players must authenticate again. Set it to 0 to rely entirely on the per-server timeout defined by session-timeout-seconds.

This proxy support is still experimental, so test thoroughly before rolling it out across production networks.

Heads up: distributed sessions require the MySQL backend defined in database.yml. EzAuth will refuse to boot the proxy cache if you're running purely on YAML storage.

Preparing Email Notifications

EzAuth now ships with an optional email.yml that lets you preload SMTP details ahead of outbound messaging support. Leave the section disabled to skip configuration entirely, or enable it and provide your host, port, transport (TLS/SSL), credentials, and sender identity so EzAuth is ready the moment email verification or alerts go live.

smtp:
  enabled: false
  host: smtp.example.com
  port: 587
  username: no-reply@example.com
  password: "changeme"
  use-starttls: true
  from-name: "EzAuth"
  from-address: no-reply@example.com

• Keep enabled set to false until you're ready to wire in valid credentials.
• Toggle use-starttls or swap to implicit SSL by setting port to 465 if your provider requires it.
• Pair email notifications with the verification commands under /email to block unverified accounts before they log in.

Connecting EzAuth to Your Website Login

Whether you're running Laravel, WordPress, or XenForo, EzAuth can authenticate players against the same credentials your website already uses. Follow the steps below for your platform after setting storage-type: mysql.

Laravel Integration

1. Open plugins/EzAuth/database.yml and set integration.mode to laravel.
2. Point the MySQL connection settings at the database your Laravel site uses (usually the values from .env).
3. Ensure the column names in the integration.laravel block match your users table. If you use UUIDs, keep uuid-column; otherwise set account-identifier to username.
4. If you rely on Laravel's remember tokens or two-factor columns, keep them mapped—EzAuth reads and updates them automatically when players log in or toggle /2fa.
5. Reload EzAuth or restart the server. New registrations will write back through Laravel's hashing (BCrypt) so the same password works on both the site and Minecraft server.

WordPress Integration

1. Set storage-type to mysql and integration.mode to wordpress.
2. Use the database credentials from wp-config.php so EzAuth connects to the same MySQL instance as WordPress.
3. Adjust integration.wordpress.table-prefix if your installation uses a custom prefix, then confirm the users and usermeta table names.
4. Map EzAuth's UUID and 2FA fields to meta keys that exist (or let EzAuth create them). Passwords are checked using WordPress' PHPass algorithm when you enable hashing.algorithm: wordpress in hashing.yml.
5. Reload EzAuth. Players can now /login with their WordPress credentials, and optional /2fa status will sync to the user meta rows.

XenForo Integration

1. Switch integration.mode to xenforo and supply the same MySQL details XenForo uses.
2. Confirm the table prefix and column names in the integration.xenforo block. EzAuth will read usernames from xf_user and hashed passwords from xf_user_authenticate.
3. If you store Minecraft UUIDs or 2FA secrets in custom profile fields, update the uuid-field-id and two-factor-* identifiers so EzAuth syncs the correct values.
4. Make sure hashing.yml is set to algorithm: xenforo so EzAuth verifies XenForo's bcrypt variants correctly.
5. Reload EzAuth or restart to apply changes. Server logins will now validate against XenForo accounts, keeping forum and in-game credentials unified.

Getting Started

1. Drop the jar into your /plugins folder and start the server once to generate configs.
2. Edit database.yml, hashing.yml, and security.yml to match your storage, hashing, and policy.
3. Configure email.yml if you plan to send email-based notifications later.
4. Tune messages.yml to fit your community tone, then run /ezauth reload in-game.
5. Invite players to /register, /login, and optionally /2fa setup for full protection.

Need Help?

EzAuth is in active development, so your feedback directly shapes the roadmap. You can join our Discord server for real-time support, feature requests and updates.