Autologin (or Remember me)

[rifleh700]

Is your feature request related to a problem? Please describe.

• We can't implement fully secure "Remember me" feature and save default /login command at same time.
• We have only one way to implement secure "Remember me" - it's to use passwordHash(pass) as account password (https://wiki.multitheftauto.com/wiki/PasswordHash - look example)

Alternative way is to save encoded user pass on his pc, which is not secure

Describe the solution you'd like

Add logIn function without password with disabled ACL right by default

• good for custom "Remember me" implementations (everyone can implement his own custom "Remember me" feature (OTP, Access tokens, etc))
• simple

Describe alternatives you've considered

new functions generateAccountAccessToken and logInByAccessToken

• not so simple
• only one implementation

Additional context

No response

Security Policy

• I have read and understood the Security Policy and this issue is not about a cheat or security vulnerability.

[DmitriyColeman]

This can be implemented on the scripting side - a general implementation would be a huge security risk.

[rifleh700]

This can be implemented on the scripting side - a general implementation would be a huge security risk.

Only one right way is to use passwordHash as account password but this means user cannot use /login command anymore. And this means we hash password twice (default MTA sha256 hash + bcrypt script hash)

[Fernando-A-Rocha]

This can be implemented on the scripting side - a general implementation would be a huge security risk.

This can be implemented without impacting security.

MTA can save the password encrypted for /login on the client's PC cache, like your web browser does for the remember me functionality...

[dsFejerA]

In my opinion, the most appropriate solution would be a token based “remember me” system instead of storing or reusing the actual password.

When the user enables “remember me”, the server should generate a secure hash/token (for example, a random, time limited id linked to the account) and send it to the client. The client stores this token locally, and on the next login, it auths using this token instead of the password.

At the same time, this can already be achieved in Lua, so I don’t think backend changes are strictly necessary

[rifleh700]

At the same time, this can already be achieved in Lua

This can't be achieved in Lua with default account system since we have only logIn(name, pass) function, which means we must to know original password

[dsFejerA]

At the same time, this can already be achieved in Lua

This can't be achieved in Lua with default account system since we have only logIn(name, pass) function, which means we must to know original password

Thats true, but it doesnt mean that a password/hash cannot be stored securely on the client.
Also, yes, the logIn function could be extended to accept the result of passwordHash as well.

[Rilot06]

MTA can save the password encrypted for /login on the client's PC cache, like your web browser does for the remember me functionality...

Your web browser definitely doesn't save your password on your pc, neither encrypted or unencrypted. You get a session token or a jwt and that's what's being saved

[Fernando-A-Rocha]

MTA can save the password encrypted for /login on the client's PC cache, like your web browser does for the remember me functionality...

Your web browser definitely doesn't save your password on your pc, neither encrypted or unencrypted. You get a session token or a jwt and that's what's being saved

This is wrong.
Browser saves passwords locally.
https://support.mozilla.org/en-US/kb/how-firefox-securely-saves-passwords

[Rilot06]

This is wrong. Browser saves passwords locally. https://support.mozilla.org/en-US/kb/how-firefox-securely-saves-passwords

That's a password manager feature. Completely different than saving a password for a remember me/auto-login would be.

[Fernando-A-Rocha]

This is wrong. Browser saves passwords locally. https://support.mozilla.org/en-US/kb/how-firefox-securely-saves-passwords

That's a password manager feature. Completely different than saving a password for a remember me/auto-login would be.

No it's not completely different. My point exactly, MTA client can have a password manager per server (like it does per server resource cache) and save passwords like a browser for remembering.

[Lpsd]

I doubt we will implement such password manager in MTA. A token based remember functionality is viable, if backed by a verification marker stored on the client's machine; backing by serial alone is not enough.