Login+ is a modern authentication plugin for offline-mode servers — passwords, sessions, free 2FA and full account protection in one jar for Spigot/Paper 1.8.8 → 1.21+.

Written in Kotlin, runs fully server side, so every client and every client version is supported. No mods, no datapacks, no paid services — drop the jar in, restart, done.

✨ Features

• Argon2id password hashing — the strongest password protection available today, with OWASP-baseline defaults you can raise in the config
• ⏱️ Sessions — reconnect within 15 minutes (configurable) from the same IP and skip the login. Survives server restarts
• Free 2FA — three flavours:
  • Google Authenticator (TOTP) — works 100% offline, the QR code is rendered on an in-game map item for easy scanning
  • Discord — your own bot DMs the login code
  • Telegram — your own bot sends the login code
• Security alerts — players with Discord/Telegram linked get warned about new-IP logins, brute-force attempts and password changes — even while offline
• Console password shield — /login and /register are intercepted so passwords never appear in the console or log files
• Full freeze before login — no moving, chatting, commands, damage, inventory or item pickup; optional blindness and spawn teleport that hides base coordinates from stream snipers
• Anti-bot & brute-force protection — per-player attempt limits, per-IP lockouts, join-flood lockdown, username regex filter, per-IP account limits
• Anti-impersonation — kicks "NoTcH" if the account was registered as "Notch", blocks duplicate names, optional UUID checks
• Premium mode — /premium lets verified Mojang accounts skip the password (only when the connection can actually be verified — Login+ never pretends)
• E-mail recovery — forgot the password? A one-time code is mailed via your own SMTP mailbox. 2FA still applies after recovery
• Country filter — whitelist or blacklist joins by country
• Proxy ready — works behind Velocity, BungeeCord and Waterfall; with shared MySQL, sessions carry across backend servers (no re-login when switching). Login+ checks your forwarding setup on startup and prints hints
• Sound feedback — level-up chime on success, buzzer on wrong password (cross-version safe)
• ️ SQLite out of the box, MySQL for networks — with automatic scheduled backups
• Fully translatable — clean English and Russian message files included

⚙️ Commands & Permissions

• /register <pass> <pass> — create an account — loginplus.player.register
• /login <pass> (alias /l) — log in — loginplus.player.login
• /logout — log out and lock the account — loginplus.player.logout
• /changepassword <old> <new> — change password — loginplus.player.changepassword
• /unregister <pass> — delete own account — loginplus.player.unregister
• /2fa setup <totp|discord|telegram> — enable two-factor auth — loginplus.player.2fa
• /2fa <code> — enter the code during login — loginplus.player.2fa
• /email set <address> — bind a recovery e-mail — loginplus.player.email
• /email recovery — recover a forgotten password — loginplus.player.email
• /premium / /freemium — toggle Mojang auto-login — loginplus.player.premium
• /loginplus <reload|forcelogin|unregister|info> — admin commands — loginplus.admin

All player permissions default to true; admin commands default to OP.

Quick Start

1. Drop the jar into /plugins and restart the server.
2. Players run /register <password> <password>, then /login <password> next time.
3. (Optional) Enable free 2FA, e-mail recovery and more in config.yml — every option is documented right in the file.

Setting up the 2FA bots (both 100% free)

• Telegram: message @BotFather → /newbot → copy the token into config.yml. Players run /2fa setup telegram.
• Discord: discord.com/developers/applications → New Application → Bot → copy the token into config.yml. Players run /2fa setup discord <their user ID>.
• Google Authenticator: nothing to set up — players just run /2fa setup totp and scan the QR map. Works offline.

Running behind Velocity / BungeeCord / Waterfall
Login+ runs on your backend (Spigot/Paper) servers and fully supports proxy networks:

1. Enable IP forwarding on both sides (proxy and backend).
2. For multi-server networks set storage.type: MYSQL and point every backend at the same database — players switching servers stay logged in seamlessly.
3. Firewall the backend ports so players can only connect through the proxy.

Login+ verifies the forwarding configuration on startup and prints console hints if something looks wrong.

Some Advice

• Login+ is designed for offline-mode (cracked) servers — pure premium servers don't need a login plugin.
• Avoid /reload; restart the server instead.
• Honest security note: /premium only activates when Mojang really verified the connection (online-mode server or online-mode proxy with modern forwarding). On a plain offline-mode server there is nothing to verify, so it politely refuses instead of pretending to be secure.