MineBox-Inter Server Item Storage

Hi everyone!

Recently, I have come up with a way to transfer items between servers using CC. Currently, it is just a concept that I hope will become a reality with the help of everyone on the forums.

With the system that I am imagining, there will be three parts to it:
1.The client that is the user interface for the whole system.
2.The local authentication server, that will process deposit and withdrawals.
3.The web server that will store the data such as your username, password and what you own.

You can deposit by putting items into an enderchest at a client terminal. The local server will take the item out of the enderchest, check its item ID with an interactive sorter, add it to the online database, then incinerate the item.

When you withdraw an item, your request would go to the local server, where it would check your resources. If you had enough, it would take away that amount from the database and use a command block to "give" it to you.

I hope you all agree that this is a very cool concept.

What it will look like:

Spoiler

Client:

Spoiler

[attachment=1086:2013-03-20_18.32.34.png]

Local Server/Authentication Server:

Spoiler

[attachment=1089:2013-03-20_19.53.13.png]

Builds:

Spoiler

Client:

Spoiler

None yet, coming soon!

Local Server/Authentication Server:

Spoiler

Proof of concept 1:

Spoiler

http://www.pastebin.com/TVKztccw

Ideas:

Spoiler

All ideas for the program will be added here

Credits:

Spoiler

Side notes:
1.The system has to be set up by an op on the server, as it uses command blocks.
2.I plan on adding a system for ops on that server to be able to check its users online inventories, to prevent importing stacks of diamond from a creative world.

When I first saw this I thought it was yet another cloud based file thingy. But this is actually a really good idea. The hard part is trying to convince server admins to use it.

I think this is a really cool concept, and could be very useful for players who come to a new server and don't want to start with absolutely nothing, but continue where they left off from another server.

One thing I think you need to look at is that there is currently nothing stopping a player setting up the command block system in a creative, single player world and just uploading a tonne of items to use on a server. Considering servers are quite large, you could perhaps implement an authentication system that requires the server to have their own personal serial number for the system, which could be tied to a particular IP address, and every server that wants to use the system can request a serial number from you. You could only then use the software if the request with a serial number is coming from that IP.

That's one awesome idea

GravityScore, on 19 March 2013 - 12:35 AM said:

I think this is a really cool concept, and could be very useful for players who come to a new server and don't want to start with absolutely nothing, but continue where they left off from another server.

One thing I think you need to look at is that there is currently nothing stopping a player setting up the command block system in a creative, single player world and just uploading a tonne of items to use on a server. Considering servers are quite large, you could perhaps implement an authentication system that requires the server to have their own personal serial number for the system, which could be tied to a particular IP address, and every server that wants to use the system can request a serial number from you. You could only then use the software if the request with a serial number is coming from that IP.

Yea, I think this is really clever. You could do something similar to an API key. I might give it a shot.

An idea is an idea…

I would really like this to be a community project where we all contribute to help make the (future) code better and better.

How would we protect it so that when someone is op on a server and not on the other. He/she could get her cheated in items on the server where h/she isn't op.

We could add a blacklist to the system eventually so that you have to register before you can take stuff out.

amtra5, on 20 March 2013 - 01:16 AM said:

I am going to add a blacklist to the system eventually so that you have to register before you can take stuff out.

Blacklist? Blacklist is like everyone but the blacklist.

How can you verify somebody actually sending a false command and the program sending a real command. If I looked at the code, then found the URL and post data I could give false items.

mailmanq, on 20 March 2013 - 02:02 AM said:

How can you verify somebody actually sending a false command and the program sending a real command. If I looked at the code, then found the URL and post data I could give false items.

I can think of one way to actually tell if the request is coming from ComputerCraft. its still hackable/spoofable, but it adds an extra layer that not everyone can do.

mailmanq, on 20 March 2013 - 02:02 AM said:

amtra5, on 20 March 2013 - 01:16 AM said:

I am going to add a blacklist to the system eventually so that you have to register before you can take stuff out.

Blacklist? Blacklist is like everyone but the blacklist.

How can you verify somebody actually sending a false command and the program sending a real command. If I looked at the code, then found the URL and post data I could give false items.

a password
you can also modify the http api to prevent anyone from accessing it

Maybe you should first try to make such system work on just one server, but it is a great idea!
For the Deposit/Withdraw machine, you could use the new /testfor command in commandblocks to verify that a person is who he says.

You could keep record of every transaction, and make them undoable.

Hopefully I can post some "framework" code later today

You could still go in creative spawn some items and put them in.

Added Screenshots :)/>

First test build for server on pastebin! Please post improvements for my current code, it would help a lot!

superaxander, on 20 March 2013 - 07:52 PM said:

You could still go in creative spawn some items and put them in.

Which is why they wouldn't give creative servers an API key, duh.

How will it deal with items that don't exist, like if a server lacks a mod, the player would lose that item but not actually get it, eh, no program can be truly idiot proof. Also a neat feature would be banned items, so if one server lava buckets banned, you can't get them from another one.

PixelToast, on 20 March 2013 - 03:44 AM said:

a password
you can also modify the http api to prevent anyone from accessing it

Modify the HTTP api, work around, don't install the HTTP API, also I was stupid and didn't think a password for a server.

Yea, to make this work with out failing you'd need to make it very secure and tight.

mailmanq, on 21 March 2013 - 05:29 PM said:

How will it deal with items that don't exist, like if a server lacks a mod, the player would lose that item but not actually get it, eh, no program can be truly idiot proof. Also a neat feature would be banned items, so if one server lava buckets banned, you can't get them from another one.

PixelToast, on 20 March 2013 - 03:44 AM said:

a password
you can also modify the http api to prevent anyone from accessing it

Modify the HTTP api, work around, don't install the HTTP API, also I was stupid and didn't think a password for a server.

Hopefully it will store items by Block ID, and also hopefully you can add nicknames

immibis, on 21 March 2013 - 05:03 PM said:

superaxander, on 20 March 2013 - 07:52 PM said:

You could still go in creative spawn some items and put them in.

Which is why they wouldn't give creative servers an API key, duh.

But a admin can still change themselfs to creative and cheat on another server.

If you really want it to be a secure thing, we (this thread) should make it into the java. For example you cant simply track down if a player is in creative or not, or somehow you can track items down if its not cheated in somehow. (with CC)
I have just little experience in Java and im not thinking about modding anytime soon, I first want to understand the language properly. I say this because I dont know if MC lets you even track the items.

All this is just concept but will contribute a whole new layer off security. To fit in the style, it should be an add-on to CC, a whole separate mod for this is to my opinion not needed.

Thanks for reading

1. protect host computer
2. do everything over HTTP
3. if needed, send a rednet message to the host indicating there is an update
4. make sure user's password are SHA-1 and salted

if you follow these you will not need to limit rednet / http in order to have a secure connection

PixelToast, on 22 March 2013 - 02:22 PM said:

1. protect host computer
2. do everything over HTTP
3. if needed, send a rednet message to the host indicating there is an update
4. make sure user's password are SHA-1 and salted

if you follow these you will not need to limit rednet / http in order to have a secure connection

SHA-1 is not a secure encryption technology!!! You have no excuse to not encrypt things properly if you're using PHP! It's as simple as going:

$password = "thisisapassword";
$hashed_password = hash("sha512", $password);

SHA-1 has many found collisions, and is easy to crack using simple online crackers, especially if the password is insecure. Please, for the safety of your users, do some research into password encryption and salting, and chose something from the SHA-2 family, such as SHA-512 used above. I even have a pure Lua version of SHA-256 and SHA-244 available!

Then your password is turned into a 512-bit string of pure RANDOMNESS!

GravityScore, on 22 March 2013 - 09:25 PM said:

Then your password is turned into a 512-character string of pure RANDOMNESS!

SHA-512 doesn't mean its turned into a string that is 512 characters long. it means that its 64 character long… waahhh you might say? 512 bits / 8 bits to the byte = 64 bytes … 1 ASCII character is 1 byte ergo 64 characters long…

TheOriginalBIT, on 22 March 2013 - 09:42 PM said:

GravityScore, on 22 March 2013 - 09:25 PM said:

Then your password is turned into a 512-character string of pure RANDOMNESS!

SHA-512 doesn't mean its turned into a string that is 512 characters long. it means that its 64 character long… waahhh you might say? 512 bits / 8 bits to the byte = 64 bytes … 1 ASCII character is 1 byte ergo 64 characters long…

Whoops, missed that! Thanks for pointing it out. I meant to say 512-bit string :P/>

Wasn't thinking :P/>

GravityScore, on 22 March 2013 - 09:25 PM said:

SHA-1 is not a secure encryption technology!!! You have no excuse to not encrypt things properly if you're using PHP! It's as simple as going:

are you kidding me?
do you really think anyone will compromise a silly minecraft mysql database?
and it will be salted -_-/> meaning you wont be able to use rainbow tables, you will have to do a brute force wich takes ages, also cant just look it up like normal SHA1

all this takes WAAAY too much effort for something you can reverse easialy

PixelToast, on 23 March 2013 - 08:38 AM said:

GravityScore, on 22 March 2013 - 09:25 PM said:

SHA-1 is not a secure encryption technology!!! You have no excuse to not encrypt things properly if you're using PHP! It's as simple as going:

all this takes WAAAY too much effort for something you can reverse easialy

Someone did compromise a Minecraft SQL database, remember the NDFJay incident? He may have been using MD5, but SHA-1 isn't that much better.

As for difficulty, you type 2 more letters in PHP…. It's the difference between hash("sha1", $password) and hash("sha512", $password).

And…. No. It is not easily reversible.

You guys think that the amount of code I posted is enough to get this thread moved to programs? If so how (this is one of my first threads on the forums).

Edit: Never mind