Minetest Forums

[BuckarooBanzay]

Mail/webmail

This is a fork of cheapies mail mod

It adds a mail-system that allows players to send each other messages in-game and via webmail (optional)

Previous work
Based on the works, from https://forum.minetest.net/viewtopic.php?t=14464

Downloads:
Source: https://github.com/thomasrudin-mt/mail

Installation
See: https://github.com/thomasrudin-mt/mail/blob/master/README.md#installation


Features

• In-game mail
• Webmail with nodejs application

Demo
The mod is in use at the pandorabox server and ingame mails can be accessed via:
https://pandorabox.io/webmail/

Roadmap

• Better ingame notification (https://github.com/thomasrudin-mt/mail/issues/5)
• Enhance webmail component (https://github.com/thomasrudin-mt/mail/issues/11)
• Add webpush notification (https://github.com/thomasrudin-mt/mail/issues/6)
• Allow sending attachments/items (https://github.com/thomasrudin-mt/mail/issues/2)
• Federation, allow messages across servers, including attachments (https://github.com/thomasrudin-mt/mail/issues/10)

Dependencies
default

Thanks to

• cheapie (initial project)
• rubenwardy (ui fixes, improvements)

Screenshots:

Ingame:


Webmail:



License

Code: WTFPL unless otherwise noted in LICENSE

[runs]

Cool

[rubenwardy]

It's annoying how the buttons are cut off, and that they appear when nothing is selected. The X button is also nonstandard

[Krock]

It's annoying how the buttons are cut off, and that they appear when nothing is selected. The X button is also nonstandard

From how the formspec is designed, it's very likely that cheapie's layout was not changed at all (a mod repost, kinda). I'd also like to see these buttons to be wider - maybe move them to the bottom of the list for more horizontal space?

[Pyrollo]

It's annoying how the buttons are cut off, and that they appear when nothing is selected. The X button is also nonstandard

From how the formspec is designed, it's very likely that cheapie's layout was not changed at all (a mod repost, kinda). I'd also like to see these buttons to be wider - maybe move them to the bottom of the list for more horizontal space?

Or use icons and tooltips

[GamingAssociation39]

^like the laptop mods email app has???

[BuckarooBanzay]

It's annoying how the buttons are cut off, and that they appear when nothing is selected. The X button is also nonstandard

From how the formspec is designed, it's very likely that cheapie's layout was not changed at all (a mod repost, kinda). I'd also like to see these buttons to be wider - maybe move them to the bottom of the list for more horizontal space?

Yeah, i forked cheapies repo and changed some code behind the curtains (UI) to get the webmail interface working.
The ui enhancements are still on my list of items to do.

My future plans include:

• UI enhancements (minetest)
• UI enhancements (web)
• Attachment support (send items with mail) https://github.com/thomasrudin-mt/mail/issues/2
• Better scaling storage https://github.com/thomasrudin-mt/mail/issues/4
• Web-Push messages https://github.com/thomasrudin-mt/mail/issues/6

[bosapara]

How to use it for Windows?

[BuckarooBanzay]

How to use it for Windows?

I don't know yet how to deal properly with those exotic/non-standard platforms.
The installation requirements should be the same with windows, only node and npm at the moment.
See: https://github.com/thomasrudin-mt/mail/ ... stallation

Download nodejs from https://nodejs.org/en/download/ and npm should be bundled with it...

[BuckarooBanzay]

Progress update 2019-01-15

Thanks to rubenwardy for his ui and lua enhancements.
The formspec looks more pleasing now (as good as formspecs go anyway:)

I added a few points to the roadmap, where i want this project to go in the next few months:

Roadmap

• Better ingame notification (https://github.com/thomasrudin-mt/mail/issues/5)
• Enhance webmail component (https://github.com/thomasrudin-mt/mail/issues/11)
• Add webpush notification (https://github.com/thomasrudin-mt/mail/issues/6)
• Allow sending attachments/items (https://github.com/thomasrudin-mt/mail/issues/2)
• Federation, allow messages across servers, including attachments (https://github.com/thomasrudin-mt/mail/issues/10)

[rubenwardy]

Some images:

[wziard]

Is it possible to set it up in a way that all players can email the server admin (and vice versa), but not each other?

[rubenwardy]

Is it possible to set it up in a way that all players can email the server admin (and vice versa), but not each other?

This is certainly possible by modifying the mod, or by creating another mod, but there's no setting for this yet.

Here's a quick mod to make a priv for it:

Code: Select all

minetest.register_privilege("mail")

local old = mail.send
mail.send = function(src, dst, subject, body)
    if not minetest.check_player_privs(dst, { kick = true }) and
            not minetest.check_player_privs(src, { mail = true }) then
        minetest.chat_send_player(src, "You are only allowed to mail moderators! Missing priv: mail")
        return false
    end

    return old(src, dst, subject, body)
end


[wziard]

Thanks. That's helpful.

[sorcerykid]

Question:

How secure is the Webmail login? It would appear that the password is transmitted to the server in plain text and could be intercepted over the network (on HTTP connections) or viewed by the server operator. Many players probably use the same password across multiple servers or even on this forum. That would require a remarkable degree of trust. Is there perhaps some safeguard that I've overlooked?

[rubenwardy]

Question:

How secure is the Webmail login? It would appear that the password is transmitted to the server in plain text and could be intercepted over the network (on HTTP connections) or viewed by the server operator. Many players probably use the same password across multiple servers or even on this forum. That would require a remarkable degree of trust. Is there perhaps some safeguard that I've overlooked?

This is fine if both the webmail and the Minetest server are on the same host. In fact, most websites are implemented this way - it's called SSL termination, when HTTPS is only used between the client and the reverse proxy, and HTTP is used between the reverse proxy and the service

[BuckarooBanzay]

Hmm, now that i think of it:

The passwords are pretty good stored on the minetest side (the server operator can't read them)
With the webmail bridge there is now a way to intercept them as an operator and exploit the reuse on other servers :(

The best way to prevent that would be to use the SRP (https://en.wikipedia.org/wiki/Secure_Re ... d_protocol) directly on the webmail side...
I opened an issue but don't really know how complex that will be: https://github.com/thomasrudin-mt/mail/issues/15

[sorcerykid]

This is fine if both the webmail and the Minetest server are on the same host. In fact, most websites are implemented this way - it's called SSL termination, when HTTPS is only used between the client and the reverse proxy, and HTTP is used between the reverse proxy and the service

Thanks for the insight. But I'm not sure if that addresses my concern. Minetest hashes passwords using SRP before transmitting them from the client to the server. So the password is never readable by anybody, even the sever operator, at any point prior to authentication.

In the Webmail scenario, however. the password is transmitted to a Web server in plain text and can be inspected by anybody along the way, and is never at any point hashed up until the authentication stage. There is nothing to stop someone from using this system as a front to steal people's passwords.

[BuckarooBanzay]

This is fine if both the webmail and the Minetest server are on the same host. In fact, most websites are implemented this way - it's called SSL termination, when HTTPS is only used between the client and the reverse proxy, and HTTP is used between the reverse proxy and the service

Thanks for the insight. But I'm not sure if that addresses my concern. Minetest hashes passwords using SRP before transmitting them from the client to the server. So the password is never readable by anybody, even the sever operator, at any point prior to authentication.

In the Webmail scenario, however. the password is transmitted to a Web server in plain text and can be inspected by anybody along the way, and is never at any point hashed up until the authentication stage. There is nothing to stop someone from using this system as a front to steal people's passwords.

Hey sorcerykid

I thought about that issue but with every solution that i came up you have the same issue:
As a server operator you can possibly put up a fake website and collect the passwords there

You have the same problems with your bank or insurance provider, they could put up a fake website under their name and collect your password/credentials (there may be easier ways for them though :D)
Of course you can hack some encryption magic on the js-frontend but the issue is the same in the end...

The only options you have are:

• Use other passwords on every server (not very practical)
• Trust your server operator
• Don't use the webmail interface :P

Some security basics if you use the webmail interface:

• Check if it is reachable with a secure line (https)
• Double-check your URL
• Try to enter a fake password first (pretty paranoid but who knows...)

[sorcerykid]

Thanks for checking into it. Keep in mind I don't think that a Web analogy really applies here, since authentication for Web-based applications are going to always be inherently less secure (in that passwords are not required to be hashed prior to transmission). So if a user logs into chase.com, for example, they acknowledge that JPMorgan Chase will have access to their plain text password.

The Minetest security model, however, by design requires passwords to be SRP hashed by the client, adding an extra layer of protection against data breaches in transit. However, a login over HTTP or HTTPS bypasses that security measure by inserting a "middle man" (i.e. the CGI script to Minetest gateway, where the password is still exposed). I think a more secure solution would be to have users set a different password, or better yet a PIN, in-game exclusively for use with the Web login. Just a thought!

[matawata]

somebody unban me i was wallhacking i glitched through, this is a false ban please help