s8n/auth-limbo
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: s8n:fix/F1-F2-F4-void-death-guard
Branches Tags
s8n:main
s8n:fix/F1-F2-F4-void-death-guard
...
pull from: s8n:main
Branches Tags
s8n:main
s8n:fix/F1-F2-F4-void-death-guard
This repository has been archived on 2026-05-10. You can view files and clone it, but cannot push or open issues or pull requests.

1 commit
fix/F1-F2- ... main

Author SHA1 Message Date
s8n
79fdb092b0 docs: freeze repo + redact leak
Some checks failed
Build / build (push) Has been cancelled
Details 
- Add FROZEN banner to README pointing to s8n/auth-limbo-v2
- Redact <PLAYER> handle and <HOME-IP> from AUDIT and ROADMAP
 2026-05-10 06:17:01 +01:00
3 changed files with 17 additions and 15 deletions
Show stats Expand all files Collapse all files

28
AUDIT-2026-05-07.md
View file

@ -1,4 +1,4 @@
# AUDIT — 2026-05-07 — YOU500 void-death on AuthMe restore # AUDIT — 2026-05-07 — <PLAYER> void-death on AuthMe restore
Reviewer: Claude (auth-limbo audit pass). Reviewer: Claude (auth-limbo audit pass).
Scope: Read-only review of `src/main/java/ru/authlimbo/**` against a real Scope: Read-only review of `src/main/java/ru/authlimbo/**` against a real
@ -10,21 +10,21 @@ Status: **Audit-only — no code changes applied.** Fixes tracked in
## 1. Incident ## 1. Incident
`YOU500` joined the server, was held in `auth_limbo` (correct), authenticated `<PLAYER>` joined the server, was held in `auth_limbo` (correct), authenticated
to AuthMe, and was teleported back to overworld — but Paper rejected the to AuthMe, and was teleported back to overworld — but Paper rejected the
teleport and the player void-died with full inventory loss. teleport and the player void-died with full inventory loss.
### Raw log (paper-server.log, trimmed) ### Raw log (paper-server.log, trimmed)
``` ```
17:13:35 YOU500[/45.157.234.219] logged in with entity id 26548 17:13:35 <PLAYER>[/<HOME-IP>] logged in with entity id 26548
at ([auth_limbo]0.5, 128.0, 0.5) at ([auth_limbo]0.5, 128.0, 0.5)
17:13:38 [AuthMe] YOU500 logged in 17:13:38 [AuthMe] <PLAYER> logged in
17:13:39 [INFO:DEBUG] Restoring fly speed for LimboPlayer YOU500 to 0.1 (RESTORE_NO_ZERO mode) 17:13:39 [INFO:DEBUG] Restoring fly speed for LimboPlayer <PLAYER> to 0.1 (RESTORE_NO_ZERO mode)
17:13:39 [INFO:DEBUG] Teleporting `YOU500` after login, based on the player auth 17:13:39 [INFO:DEBUG] Teleporting `<PLAYER>` after login, based on the player auth
17:13:39 YOU500 left the confines of this world <-- VOID DEATH 17:13:39 <PLAYER> left the confines of this world <-- VOID DEATH
17:13:39 [AuthLimbo] Restoring YOU500 to world(2380.4, 69.9, -11358.4) 17:13:39 [AuthLimbo] Restoring <PLAYER> to world(2380.4, 69.9, -11358.4)
17:13:39 [AuthLimbo] teleportAsync returned false for YOU500 17:13:39 [AuthLimbo] teleportAsync returned false for <PLAYER>
— Paper may have rejected the location. — Paper may have rejected the location.
``` ```
@ -38,7 +38,7 @@ the restore step.
`authme.db` and schedules `addPluginChunkTicket` on `world` chunk `authme.db` and schedules `addPluginChunkTicket` on `world` chunk
`(2380>>4=148, -11359>>4=-710)`. So far so good. `(2380>>4=148, -11359>>4=-710)`. So far so good.
2. AuthMe authenticates and runs **its own** broken teleport 2. AuthMe authenticates and runs **its own** broken teleport
(`Teleporting YOU500 after login`). This is the AuthMe-fork log line, not (`Teleporting <PLAYER> after login`). This is the AuthMe-fork log line, not
ours — AuthMe does a `teleportAsync` of its own with no chunk preload. ours — AuthMe does a `teleportAsync` of its own with no chunk preload.
3. AuthMe's teleport partially moves the entity into `world` at the saved 3. AuthMe's teleport partially moves the entity into `world` at the saved
coords **before the chunk is actually loaded**. The entity is now at coords **before the chunk is actually loaded**. The entity is now at
@ -78,7 +78,7 @@ behaviour on void death. We do not snapshot inventories.
### H1 — AuthMe's own broken teleport voids the player BEFORE our handler fires *(most likely)* ### H1 — AuthMe's own broken teleport voids the player BEFORE our handler fires *(most likely)*
The AuthMe-fork log line `Teleporting YOU500 after login, based on the The AuthMe-fork log line `Teleporting <PLAYER> after login, based on the
player auth` at `17:13:39` is from AuthMe-ReReloaded fork b49 itself player auth` at `17:13:39` is from AuthMe-ReReloaded fork b49 itself
(`PlayerAuth.teleportOnLogin` flow). AuthMe does a teleport with **no chunk (`PlayerAuth.teleportOnLogin` flow). AuthMe does a teleport with **no chunk
preload** to the saved coords. In Paper 1.21.11, calling `teleportAsync` to preload** to the saved coords. In Paper 1.21.11, calling `teleportAsync` to
@ -107,7 +107,7 @@ description of the race.
`onAsyncPreLogin` adds a ticket on the chunk computed from the saved `onAsyncPreLogin` adds a ticket on the chunk computed from the saved
quit-location. But the player's first-time-join behaviour might use a quit-location. But the player's first-time-join behaviour might use a
different teleport target (AuthMe spawn-on-first-login). For an existing different teleport target (AuthMe spawn-on-first-login). For an existing
player like YOU500 this is unlikely — they have a saved row. player like <PLAYER> this is unlikely — they have a saved row.
### H3 — `teleport-delay-ticks: 10` is too long *(secondary)* ### H3 — `teleport-delay-ticks: 10` is too long *(secondary)*
@ -148,7 +148,7 @@ While a player is in the post-LoginEvent restore window, register a
limbo spawn (`limboManager.spawn()`) at y=128. Then re-attempt the limbo spawn (`limboManager.spawn()`) at y=128. Then re-attempt the
authoritative teleport via `doTeleport` with a backoff. authoritative teleport via `doTeleport` with a backoff.
This single guard would have saved YOU500's life and inventory. This single guard would have saved <PLAYER>'s life and inventory.
### F2 — MUST: when `teleportAsync` future returns `false`, recover ### F2 — MUST: when `teleportAsync` future returns `false`, recover
@ -202,7 +202,7 @@ inventory is ever lost on an auth-flow death.
If F1F4 all fail and the player is still in void state after N retries, If F1F4 all fail and the player is still in void state after N retries,
set `GameMode.SPECTATOR`, teleport to overworld spawn (server world's set `GameMode.SPECTATOR`, teleport to overworld spawn (server world's
default spawn), and send admin a Discord/console alert: "AuthLimbo could default spawn), and send admin a Discord/console alert: "AuthLimbo could
not restore YOU500 — manual `/authlimbo tp YOU500` required". The not restore <PLAYER> — manual `/authlimbo tp <PLAYER>` required". The
spectator mode prevents further damage and lets the player observe the spectator mode prevents further damage and lets the player observe the
world while admin acts. world while admin acts.

2
README.md
View file

@ -1,3 +1,5 @@
> ⚠️ **FROZEN** — this repo is no longer maintained. The successor lives at [`s8n/auth-limbo-v2`](https://git.s8n.ru/s8n/auth-limbo-v2). This repo is kept for historical reference (see `AUDIT-2026-05-07.md`). No new commits, no new releases, no new issues.
<div align="center"> <div align="center">
# auth-limbo # auth-limbo

2
ROADMAP.md
View file

@ -16,7 +16,7 @@ Status legend:
### F1 · OPEN · Void-damage guard during post-login restore ### F1 · OPEN · Void-damage guard during post-login restore
Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F1. Triggered by Source: [AUDIT-2026-05-07.md](AUDIT-2026-05-07.md) §4 F1. Triggered by
YOU500 incident on 2026-05-07 — full inventory loss to void on login. <PLAYER> incident on 2026-05-07 — full inventory loss to void on login.
Acceptance: Acceptance:
- New `Set<UUID> pendingTransit` in `LoginListener`. - New `Set<UUID> pendingTransit` in `LoginListener`.