11:54 <+bridge> [ddnet] @ChillerDragon the invalid signature means that it isn't a valid map file 11:54 <+bridge> [ddnet] it might got corrupted by something or it's a different file format 11:54 <+bridge> [ddnet] you could try the `file` tool to tell you what kind of file you're looking at 16:26 <+bridge> [ddnet] <3da> hi guys. 16:26 <+bridge> [ddnet] <3da> Why don't you plan to make authentication? 16:29 <+bridge> [ddnet] not again 16:48 <+bridge> [ddnet] @3da are you really 3da? 16:49 <+bridge> [ddnet] https://discordapp.com/channels/252358080522747904/255191476315750401/681518446449524788 16:51 <+bridge> [ddnet] <3da> > @3da are you really 3da? 16:51 <+bridge> [ddnet] <3da> @Learath2 may be 16:51 <+bridge> [ddnet] <3da> depends on what you mean 16:54 <+bridge> [ddnet] <3da> Centralized account system for teeworlds could help to make many cool mods 16:54 <+bridge> [ddnet] <3da> So I don't know why it doesn't exist yet 16:54 <+bridge> [ddnet] I mean as in the 3da that contributed to DDRace 16:54 <+bridge> [ddnet] back when btk and greyfox was still around 16:55 <+bridge> [ddnet] <3da> yes, I was the first man who made mod called DDRace 16:55 <+bridge> [ddnet] <3da> in 2010-2011 years I send my source codes to another developer 16:55 <+bridge> [ddnet] do you have the "first" ddrace map saved somewhere 16:55 <+bridge> [ddnet] Welcome back 😛 16:55 <+bridge> [ddnet] <3da> I was young and stupid when I made first ddrace 16:55 <+bridge> [ddnet] <3da> my code was bad 16:55 <+bridge> [ddnet] I did work on a couple prototypes for an account system, never really made one that I was content with 16:56 <+bridge> [ddnet] <3da> but i had a lot of enthusiasm 16:56 <+bridge> [ddnet] I had one with asymmetric cryptography that I actually liked a lot, but making it user friendly enough was too much of a hassle 16:57 <+bridge> [ddnet] <3da> This morning I wanted to make another mod but I expected that DDNet already has accounts which I could use 16:57 <+bridge> [ddnet] <3da> But it is sad to know that there is no accounts 16:58 <+bridge> [ddnet] i dont think its sad 16:58 <+bridge> [ddnet] and making a account system is nothing difficult 16:58 <+bridge> [ddnet] so u can just do it in ur mod 16:59 <+bridge> [ddnet] doesnt KoG have a account system? 16:59 <+bridge> [ddnet] <3da> It would be cool to have single account system across the servers 16:59 <+bridge> [ddnet] every tw server? 17:00 <+bridge> [ddnet] Yeah, an account system is trivial, I also wanted one that we could use across all mods 17:01 <+bridge> [ddnet] I have one working with certificates to avoid centralisation but users would need to note down a mnemonic, not sure if that's the best ux 17:01 <+bridge> [ddnet] <3da> I think it should work so: 17:01 <+bridge> [ddnet] <3da> Player authenticates in his client. Then client send some data to every server. 17:01 <+bridge> [ddnet] <3da> And each server can check if the player is real. But simple servers may accept any usernames. 17:01 <+bridge> [ddnet] that would be insecure 17:01 <+bridge> [ddnet] you could host a server to grab accounts? 17:02 <+bridge> [ddnet] <3da> server don't receive passwords 17:02 <+bridge> [ddnet] Currently, the server sends a challenge, the user signs it with his private key, the server verifies the signature however it likes 17:02 <+bridge> [ddnet] I was thinking ddnet could host a verification server other mods are free to either use our verification or implement their own account pool 17:03 <+bridge> [ddnet] <3da> sounds good 17:03 <+bridge> [ddnet] No passwords no usernames, but the user would be responsible for not losing their private keys and if they do there is no good way to recover it 17:04 <+bridge> [ddnet] <3da> why not to use password as private key? 17:04 <+bridge> [ddnet] too short to be secure 17:04 <+bridge> [ddnet] a known plaintext attack would be feasible 17:06 <+bridge> [ddnet] <3da> May be it is possible to bind teeworlds accounts to some social network? 17:07 <+bridge> [ddnet] ugh 17:07 <+bridge> [ddnet] That would be a little too centralised for a lot of the developers taste 17:07 <+bridge> [ddnet] but combining what I have with oauth it is quite feasible to link a social account 17:07 <+bridge> [ddnet] wouldn't help recover the private key though 17:08 <+bridge> [ddnet] maybe ddnet could store peoples private keys in encrypted form, with their password for a recovery measure 17:08 <+bridge> [ddnet] Given it's open source that does sound feasible 17:12 <+bridge> [ddnet] Anyway, the current issue isn't that there is no good way, it's that I don't really have the time to code much anymore 17:12 <+bridge> [ddnet] <3da> I am interested in authentication for teeworlds 17:12 <+bridge> [ddnet] <3da> probably i can make some code 17:13 <+bridge> [ddnet] <3da> Currently I am good in .net core and JS 17:13 <+bridge> [ddnet] When I get back to italy I can share the code I have with you 17:13 <+bridge> [ddnet] <3da> You are Italian? 17:14 <+bridge> [ddnet] I just live in italy for now 17:14 <+bridge> [ddnet] <3da> cool 17:21 <+bridge> [ddnet] <3da> I think I can make whole certification center for ddnet except the integration with teeworlds (C++ part) 17:46 <+bridge> [ddnet] Well we need to design a protocol where servers can safely authenticate 17:51 <+bridge> [ddnet] <3da> https://cdn.discordapp.com/attachments/293493549758939136/681543795200098344/unknown.png 17:51 <+bridge> [ddnet] <3da> What do you think about this simple diagram? 17:54 <+bridge> [ddnet] <3da> token should be once-off 18:01 <+bridge> [ddnet] <3da> the protocol to connect Auth server can be HTTPS 18:58 <+bridge> [ddnet] Make all those tokens one use and it should be safe enough 18:58 <+bridge> [ddnet] but I don't quite like the username+password setup 19:03 <+bridge> [ddnet] <3da> But the users like it 19:04 <+bridge> [ddnet] ^ 19:04 <+bridge> [ddnet] <3da> We want to make games for gamers but not for developers, right? 19:06 <+bridge> [ddnet] I already like the fact that you're back, @3da xd 19:07 <+bridge> [ddnet] <3da> Thanks guys. I don't know who you are but it is fine that we want to make cool teeworlds mods 19:07 <+bridge> [ddnet] (tbh I just hope for more & better changes to DDNet / TW community in general) 19:07 <+bridge> [ddnet] With certificates you don't need to remember any password, authentication just works 19:08 <+bridge> [ddnet] <3da> the user can remember his password in client 19:08 <+bridge> [ddnet] but what then it a person reinstalls client or even stitches to other OS? Won't that mean their acc is lost? 19:09 <+bridge> [ddnet] Then we are storing plaintext credentials on the users computer 19:09 <+bridge> [ddnet] <3da> This is common case in real world 😄 19:09 <+bridge> [ddnet] Just because something is not easy to figure out, doesn't mean we should just skimp out on quality 19:10 <+bridge> [ddnet] Anyway if you want to implement it like this, feel free to go ahead, it should take like 3-4 days at a decent pace, it should be secure enough 19:10 <+bridge> [ddnet] <3da> I agreed that this is not 100% safe but it is better than account system which not exist at all 19:11 <+bridge> [ddnet] Btw, how does KoG's acc system work then? 19:11 <+bridge> [ddnet] you have to login only once 19:11 <+bridge> [ddnet] <3da> what is KoG? 19:11 <+bridge> [ddnet] and the server seems to remember the user by... no idea what 19:12 <+bridge> [ddnet] and registration goes thru their website 19:12 <+bridge> [ddnet] It's probably security by obsecurity, relying solely on the fact that KoG is closed source 19:12 <+bridge> [ddnet] well, some parts of ddnet could also be tho 19:12 <+bridge> [ddnet] like the part of authentication server 19:13 <+bridge> [ddnet] <3da> hmm 19:13 <+bridge> [ddnet] I'd guess it remembers some combination properties about the client at the point of login 19:13 <+bridge> [ddnet] <3da> why should we make auth server closed source? 19:13 <+bridge> [ddnet] Having literally everything accessible by everyone isn't always good idea 19:13 <+bridge> [ddnet] Security through obsecurity is just an illusion, if it isn't secure when open source it isn't secure 19:14 <+bridge> [ddnet] <3da> Guys let me tell you a story 19:14 <+bridge> [ddnet] and there are a lot of ways to implement secure authentication with username and password 19:14 <+bridge> [ddnet] just pick any and use it 19:14 <+bridge> [ddnet] 19:14 <+bridge> [ddnet] <3da> First time DDRace was closed source 19:14 <+bridge> [ddnet] @Learath2 do u like jwt? 19:15 <+bridge> [ddnet] <3da> And I made special built-in admin password in compiled EXE 19:15 <+bridge> [ddnet] <3da> but this password was written as plain text in constant 19:15 <+bridge> [ddnet] <3da> and some users watched this password 19:15 <+bridge> [ddnet] <3da> I was so stupid 19:15 <+bridge> [ddnet] @Ryozuki not for what everyone uses it for but it does have good uses, as long as you acknowledge it's shortcomings 19:16 <+bridge> [ddnet] @3da there were a couple mods that took your example, like that city mod released on the forum 19:16 <+bridge> [ddnet] I think @heinrich5991 extracted the backdoor rcon password from that one 19:16 <+bridge> [ddnet] xd 19:16 <+bridge> [ddnet] <3da> I could make special admin password mode secured and obfuscated 19:16 <+bridge> [ddnet] <3da> 😦 19:17 <+bridge> [ddnet] As long as the executable is doing the authentication it's not very hard to extract the backdoor pw 19:18 <+bridge> [ddnet] Reverse engineering is quite fun 19:18 <+bridge> [ddnet] <3da> are you good in it? 19:18 <+bridge> [ddnet] I'm still learning a lot 19:18 <+bridge> [ddnet] <3da> hackers everywhere..... 19:20 <+bridge> [ddnet] I wish someday I'd see +DDrace or at least some of only-for-fun things accessible in DDNet... We actually have `freezehammer` out of like nowhere, so why not rainbows or that other thing which spawned kill particles all the time... I miss those times so much 😔 19:20 <+bridge> [ddnet] Anyway, if you are okay with a centralised architecture, usernames and passwords and the fact that players can't reliably verify other players identity then there are dozens of authentication protocols out there you can use 19:22 <+bridge> [ddnet] The protocol you gave is vulnerable to man in the middle attacks, you need to add some identifying information about the server you are authenticating against while getting a token and the authentication server needs to make sure that the token is only used by the server you want to authenticate against 19:23 <+bridge> [ddnet] <3da> This is not final scheme but the main things are ok 19:23 <+bridge> [ddnet] <3da> 😄 19:24 <+bridge> [ddnet] <3da> > I wish someday I'd see +DDrace or at least some of only-for-fun things accessible in DDNet... We actually have `freezehammer` out of like nowhere, so why not rainbows or that other thing which spawned kill particles all the time... I miss those times so much 😔 19:24 <+bridge> [ddnet] <3da> @Soreu I agreed that mods should be more funny 19:24 <+bridge> [ddnet] Even if not the official ones, then maybe private ones that use the same mod 19:24 <+bridge> [ddnet] <3da> I don't like hard maps 19:25 <+bridge> [ddnet] I started hosting +DDRace with the "helper for everyone" just for pure fun in like 3rd day of playing in teeworlds <3 19:26 <+bridge> [ddnet] crazy times those were :p 19:26 <+bridge> [ddnet] <3da> My first days in teeworlds was awesome 19:26 <+bridge> [ddnet] <3da> My first days in teeworlds were awesome 19:27 <+bridge> [ddnet] btw, I will later have question about the mentioned `freezehammer`, but for now I'd rather further enjoy your discussion about hopefully finally having acc system 19:27 <+bridge> [ddnet] <3da> When normal kids were playing on the street with other kids. I was playing with other tees as normal tee. 19:28 <+bridge> [ddnet] :D 19:33 <+bridge> [ddnet] There is DDNet++ 19:34 <+bridge> [ddnet] <3da> The most important thing in teeworlds for me is that you can start server with your mod and the players will join your server and discover the world which you prepared for them. The other game which gave the same is Warcraft 3 where you could easily make custom maps and invite random people to play with you 19:36 <+bridge> [ddnet] And also in the meanwhile to those working on DDNet 0.7: Would there be a possibility to rearrange entities, or actually change the way they are displayed altogether? Because together with @Ravie we have few ideas to make player's (and ppl making those graphics) life easier if possible ^^ 19:40 <+bridge> [ddnet] Hi @3da . The usual argument against accounts is that we already have lots of ranks and can't verify who they belong to 19:41 <+bridge> [ddnet] <3da> yeah. this is problem 19:41 <+bridge> [ddnet] <3da> someone another can register my username 19:42 <+bridge> [ddnet] there are even some names that multiple people use at once 19:44 <+bridge> [ddnet] <3da> Is it hard to make communication by https with Auth server in teeworlds client and server? 19:50 <+bridge> [ddnet] i think 19:51 <+bridge> [ddnet] ppl should be able to have one registered account 19:51 <+bridge> [ddnet] but names not registered can be used by all 19:51 <+bridge> [ddnet] ppl should be able to have one registered name 19:51 <+bridge> [ddnet] and name changes in place for transfer points 19:51 <+bridge> [ddnet] u change what name ur points are registered to 19:52 <+bridge> [ddnet] or, you are registered to an ID, not an actual name 19:52 <+bridge> [ddnet] so you have fluidity in choosing what name 19:52 <+bridge> [ddnet] but then /points would be very complicated 19:54 <+bridge> [ddnet] maybe /points would display smth like: 19:54 <+bridge> [ddnet] 19:54 <+bridge> [ddnet] ID:1303 (playing as "John Wick" - 1309 points 19:54 <+bridge> [ddnet] and if he changes name 19:54 <+bridge> [ddnet] ID:1303 (playing as "noob" - 1309 points 19:57 <+bridge> [ddnet] maybe /points would display smth like: 19:57 <+bridge> [ddnet] 19:57 <+bridge> [ddnet] ID:1303 (playing as "John Wick") - 1309 points 19:57 <+bridge> [ddnet] ID:1303 (playing as "noob") - 1309 points 19:58 <+bridge> [ddnet] more clean: 19:58 <+bridge> [ddnet] 19:58 <+bridge> [ddnet] John Wick (ID:1303) - 1309 points 19:58 <+bridge> [ddnet] would solve the problem 19:58 <+bridge> [ddnet] and each player has a 4 digit id and password or smth 19:58 <+bridge> [ddnet] so like /register 1058 password12345 19:59 <+bridge> [ddnet] and /login 1058 password12345 19:59 <+bridge> [ddnet] <3da> Probably when accounts will be appeared all previous records will be marked as "unverified"? 20:00 <+bridge> [ddnet] 🤮 20:00 <+bridge> [ddnet] mm thats true 20:00 <+bridge> [ddnet] <3da> because they are really unverified 20:01 <+bridge> [ddnet] <3da> any person can beat any record with any username 20:01 <+bridge> [ddnet] maybe its ID dependent? 20:01 <+bridge> [ddnet] no 20:01 <+bridge> [ddnet] this is a complicated problem 20:02 <+bridge> [ddnet] maybe you can have a username but its not your ingame name 20:02 <+bridge> [ddnet] but then that just removes the need for ID 20:02 <+bridge> [ddnet] <3da> Why username cannot be ingame name? 20:03 <+bridge> [ddnet] In KoG many players switch & login with their registered actual name right before finish (just pointing it out) 20:04 <+bridge> [ddnet] oh yeah that would work 20:04 <+bridge> [ddnet] nvm 20:05 <+bridge> [ddnet] so what happens if u finish on an already registered name 20:05 <+bridge> [ddnet] the ranks with unregistered accounts could go on i.e. the nameless tee 20:06 <+bridge> [ddnet] <3da> It must be possible to save old records but they will be inverified 20:06 <+bridge> [ddnet] i mean its a small community 20:06 <+bridge> [ddnet] <3da> It must be possible to save old records but they will be unverified 20:06 <+bridge> [ddnet] i think it is viable to verify everyone individually 20:06 <+bridge> [ddnet] <3da> But using registered usernames will provide some features 20:07 <+bridge> [ddnet] you have to be logged in to have your clan tag (otherwise `[!FAKE!]` is displayed) and to use commands for registered players, like /power 20:07 <+bridge> [ddnet] ye clans will actually be legit 20:07 <+bridge> [ddnet] i wish we have an actual clan system 20:07 <+bridge> [ddnet] what is /power? 20:09 <+bridge> [ddnet] you get seasonal points for finishing maps (won't explain that in details as I don't know them) and then by using /power your can "spend" those on "funny" stuff like stars appearing all around you on spawn and starts going after you when you move (kinda like tail of stars or however to name it) 20:10 <+bridge> [ddnet] that would be dope 20:10 <+bridge> [ddnet] rocket trails, laser graphics for pistol 20:11 <+bridge> [ddnet] account system also allows ddnet to make money :p 20:11 <+bridge> [ddnet] <3da> We even can make something like store 20:11 <+bridge> [ddnet] <3da> to spend points 20:12 <+bridge> [ddnet] 3da did you work together with greyfox? 20:12 <+bridge> [ddnet] bcs i thought he is the guy who made ddrace 20:12 <+bridge> [ddnet] <3da> I was talking with him in jabber 20:12 <+bridge> [ddnet] <3da> and made some commits in github 20:12 <+bridge> [ddnet] <3da> but my code was bad 20:12 <+bridge> [ddnet] <3da> and I left it 20:13 <+bridge> [ddnet] are you resposible for stoppers? 😄 20:13 <+bridge> [ddnet] <3da> what is it? 20:13 <+bridge> [ddnet] a tile 20:13 <+bridge> [ddnet] <3da> I don't know. In my head all tiles have russian names 20:13 <+bridge> [ddnet] whoever made speedups has small brain 20:15 <+bridge> [ddnet] <3da> But I diffidently invented rounding lasers which freezes 20:15 <+bridge> [ddnet] <3da> 😄 20:15 <+bridge> [ddnet] oh the spinners 20:16 <+bridge> [ddnet] 3da can you remember what was the first ddrace map? 20:17 <+bridge> [ddnet] <3da> I remember that first maps was very stupid and boring 20:17 <+bridge> [ddnet] <3da> until some man made fine map 20:17 <+bridge> [ddnet] eXo_freeze can give you an impression what early maps looked like 20:18 <+bridge> [ddnet] <3da> First maps was stupid because nobody knew how to use all these tiles 20:18 <+bridge> [ddnet] hi @3da btw 🙂 20:18 <+bridge> [ddnet] <3da> even me 20:18 <+bridge> [ddnet] <3da> hi 20:18 <+bridge> [ddnet] <3da> > hi @3da btw 🙂 20:18 <+bridge> [ddnet] <3da> @heinrich5991 🙂 20:18 <+bridge> [ddnet] yes exo freeze looks weird 20:19 <+bridge> [ddnet] <3da> DDRace is based on [N]Race by Nox Nebula 20:19 <+bridge> [ddnet] <3da> where is he now? 20:22 <+bridge> [ddnet] that was a long time ago 20:24 <+bridge> [ddnet] I don't know 20:24 <+bridge> [ddnet] I saw him from time to time on IRC, but I think he's no longer there 20:25 <+bridge> [ddnet] <3da> Hope everything is ok with him 😄 21:00 <+bridge> [ddnet] @3da not so hard, we do that for ddnet updates and server browser list 21:16 <+bridge> [ddnet] <3da> @deen cool 21:16 <+bridge> [ddnet] <3da> Here is my test scenario for auth server. Looks ok? https://www.paste.org/103193 22:56 <+bridge> [ddnet] It's still vulnerable to mitm 22:59 <+bridge> [ddnet] Alice joins fake server hosted by Eve, Alice starts authenticating, Eve asks the actual server for a serverToken passes it along to Alice, Alice authenticates to the authServer, Alice sends authResult to Eve's server, Eve just uses it to login on the actual server 23:05 <+bridge> [ddnet] It's not exactly trivial to design an authentication service where service providers can not be trusted. You can take a look at something like kerberos to get inspiration 23:06 <+bridge> [ddnet] Or OAuth if you are interested how social media giants are allowing people to use them for login 23:10 <+bridge> [ddnet] (Kerberos kinda fails for our use case imho, it requires us to keep plaintext passwords, which is a no no) 23:18 <+bridge> [ddnet] If you keep it to just one mod (where we can trust the servers themselves) I wouldn't bother with a separate authentication server, just let the servers authenticate the users themselves 23:39 <+bridge> [ddnet] <3da> agreed. My bad 23:44 <+bridge> [ddnet] we could also say that it's the users responsibility to watch out for fake servers 23:45 <+bridge> [ddnet] <3da> I think I need add DiffieHellman here? To protect from mitm?