Player Analytics, Sponge/Bukkit/Bungee/Velocity support



AuroraLS3 released this version on Apr 18, 2020

16.0 MB

5.1 build 505

This update fixes some corner case bugs and a security vulnerability in the password brute-force protection. More details below.

Change log

Data gathering

  • Fixed lag on some operating systems when gathering CPU load during high CPU activity by moving CPU, RAM and Disk Space gathering to a non-server thread.


  • Fixed an issue when Authorization header was used for reverse-proxy (for basic authentication) with Plan authentication disabled. There was a code path that ran anyway due to an attempt to get the Plan user from the header that caused the header to count as a login attempt, leading to an eventual 403. Now that code path is sorted to not run if authentication is disabled.
  • Fixed an issue where failed login attempts were incorrectly counted, leading to a 403 error appearing on the main page after one failed login followed by a successful login.
  • Cleaned up the error page for blocked access 403 when css resources are also blocked (due to 3 failed attempts).

Fixed Security Vulnerability #1402 in password brute-force protection

  • Plan prevents login attempts for two minutes after failed 3 failed logins in order to make brute-forcing passwords more difficult. An oversight in how the failed login attempts were counted reset the counter after a successful response (HTTP 200 OK) was sent by Plan. Because .css files do not require authentication, bad actor could have automated their code to make a request for a .css file every 2 attempts. Fixed by properly detecting a successful login instead of using http status codes.


  • Fixed ‘Czechia’ not being counted on the map due to missing ISO code.

Plan recently reached over 200 stars on Github!
If you have a bug, don’t hesitate to report it over here: - Thanks!